CVE-2025-68645

Warnung

Medienbericht

EPSS 20.85%
Veröffentlicht 22.12.2025 18:16:17
Zuletzt bearbeitet 23.01.2026 18:39:33
Quelle cve@mitre.org
CVE-Watchlists
Login
Unerledigt
Login

A Local File Inclusion (LFI) vulnerability exists in the Webmail Classic UI of Zimbra Collaboration (ZCS) 10.0 and 10.1 because of improper handling of user-supplied request parameters in the RestFilter servlet. An unauthenticated remote attacker can craft requests to the /h/rest endpoint to influence internal request dispatching, allowing inclusion of arbitrary files from the WebRoot directory.

Betroffene Produkte Warnungen 1 Metriken 2 CWE 1 Referenzen 8

Verknüpft mit AI von unstrukturierten Daten zu bestehenden CPE der NVD

Diese Information steht angemeldeten Benutzern zur Verfügung.

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Synacor ≫ Zimbra Collaboration Suite Version >= 10.0.0 < 10.0.18

Synacor ≫ Zimbra Collaboration Suite Version >= 10.1.0 < 10.1.13

22.01.2026: CISA Known Exploited Vulnerabilities (KEV) Catalog

Synacor Zimbra Collaboration Suite (ZCS) PHP Remote File Inclusion Vulnerability

Schwachstelle

Synacor Zimbra Collaboration Suite (ZCS) contains a PHP remote file inclusion vulnerability that could allow for remote attackers to craft requests to the /h/rest endpoint to influence internal request dispatching, allowing inclusion of arbitrary files from the WebRoot directory.

Beschreibung

Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.

Erforderliche Maßnahmen

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	20.85%	0.955

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
134c704f-9b21-4f2e-91b3-4a467353bcc0	8.8	2.8	5.9	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

CWE-98 Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion')

The PHP application receives input from an upstream component, but it does not restrict or incorrectly restricts the input before its usage in "require," "include," or similar functions.

https://www.heise.de/news/CISA-Warnung-vor-Angriffen-auf-VMware-vCenter-Zimbra-und-mehr-11154275.html

Medienbericht

heise Security

26.01.2026 15:00

https://www.heise.de/news/BSI-CERT-Bund-bemaengelt-viele-verwundbare-Zimbra-Server-11135422.html

Medienbericht

heise Security

09.01.2026 09:24

https://wiki.zimbra.com/wiki/Security_Center

Vendor Advisory

Release Notes

https://wiki.zimbra.com/wiki/Zimbra_Responsible_Disclosure_Policy