CVE-2025-68645

HighCISA KEVActive Exploitation

Published: 22 December 2025

Published

22 December 2025

Modified

23 January 2026

KEV Added

22 January 2026

Patch

—

CVSS Score 8.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

EPSS Score 0.5096 97.9th percentile

Risk Priority 68 60% EPSS · 20% KEV · 20% CVSS

Description

A Local File Inclusion (LFI) vulnerability exists in the Webmail Classic UI of Zimbra Collaboration (ZCS) 10.0 and 10.1 because of improper handling of user-supplied request parameters in the RestFilter servlet. An unauthenticated remote attacker can craft requests to the…

/h/rest endpoint to influence internal request dispatching, allowing inclusion of arbitrary files from the WebRoot directory.

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match

prevent

SI-2 requires timely flaw remediation, directly addressing the LFI vulnerability by applying vendor patches for affected ZCS versions.

SI-10 Information Input Validation good match

prevent

SI-10 mandates validation of user-supplied request parameters in the RestFilter servlet to prevent path traversal and arbitrary file inclusion from WebRoot.

SC-7 Boundary Protection partial match

prevent

SC-7 enforces boundary protection to inspect and block crafted unauthenticated requests to the /h/rest endpoint exploiting the LFI vulnerability.

Security SummaryAI

CVE-2025-68645 is a Local File Inclusion (LFI) vulnerability, mapped to CWE-98, affecting the Webmail Classic UI in Zimbra Collaboration Suite (ZCS) versions 10.0 and 10.1. The flaw arises from improper handling of user-supplied request parameters within the RestFilter servlet, enabling attackers to manipulate internal request dispatching. Published on 2025-12-22, it carries a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H), reflecting high potential impact across confidentiality, integrity, and availability.

An unauthenticated remote attacker can exploit the vulnerability by crafting requests to the /h/rest endpoint, tricking a user into interacting with a malicious payload—such as clicking a link in a phishing email. Successful exploitation allows inclusion of arbitrary files from the WebRoot directory, potentially exposing sensitive configuration data, source code, or other server files, depending on directory contents and permissions.

Zimbra's Security Center wiki and Responsible Disclosure Policy provide relevant advisory details on patches and mitigation steps. The vulnerability also appears in CISA's Known Exploited Vulnerabilities catalog, signaling real-world exploitation by threat actors. Security practitioners should prioritize patching affected ZCS instances and monitor for anomalous /h/rest requests.

Details

CWE(s): CWE-98
KEV Date Added: 22 January 2026

Affected Products

synacor

zimbra collaboration suite

10.0.0 — 10.0.18 · 10.1.0 — 10.1.13

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

Why these techniques?

The LFI vulnerability in the public-facing Zimbra Webmail application directly enables exploitation of a public-facing application (T1190) via crafted requests to the /h/rest endpoint, often delivered through user interaction like phishing links.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

References

https://wiki.zimbra.com/wiki/Security_Center
Release Notes, Vendor Advisory · cve@mitre.org
https://wiki.zimbra.com/wiki/Zimbra_Responsible_Disclosure_Policy
Product · cve@mitre.org
https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-68645
US Government Resource · 134c704f-9b21-4f2e-91b3-4a467353bcc0