CVE-2025-68645

Warnung

Medienbericht

EPSS 31.77%
Veröffentlicht 22.12.2025 18:16:17
Zuletzt bearbeitet 23.01.2026 18:39:33
Quelle cve@mitre.org
CVE-Watchlists
Login
Unerledigt
Login

A Local File Inclusion (LFI) vulnerability exists in the Webmail Classic UI of Zimbra Collaboration (ZCS) 10.0 and 10.1 because of improper handling of user-supplied request parameters in the RestFilter servlet. An unauthenticated remote attacker can craft requests to the /h/rest endpoint to influence internal request dispatching, allowing inclusion of arbitrary files from the WebRoot directory.

Betroffene Produkte Warnungen 1 Metriken 2 CWE 1 Referenzen 8

NVD 2 VulnDex Vulnerability Enrichment 1

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Synacor ≫ Zimbra Collaboration Suite Version >= 10.0.0 < 10.0.18

Synacor ≫ Zimbra Collaboration Suite Version >= 10.1.0 < 10.1.13

VulnDex Vulnerability Enrichment

Diese Information steht angemeldeten Benutzern zur Verfügung.

22.01.2026: CISA Known Exploited Vulnerabilities (KEV) Catalog

Synacor Zimbra Collaboration Suite (ZCS) PHP Remote File Inclusion Vulnerability

Schwachstelle

Synacor Zimbra Collaboration Suite (ZCS) contains a PHP remote file inclusion vulnerability that could allow for remote attackers to craft requests to the /h/rest endpoint to influence internal request dispatching, allowing inclusion of arbitrary files from the WebRoot directory.

Beschreibung

Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.

Erforderliche Maßnahmen

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	31.77%	0.981

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
134c704f-9b21-4f2e-91b3-4a467353bcc0	8.8	2.8	5.9	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

CWE-98 Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion')

The PHP application receives input from an upstream component, but it does not restrict or incorrectly restricts the input before its usage in "require," "include," or similar functions.

Für Zugriff zu Vulnerability Intelligence ist ein VulnDex Zugang erforderlich.

VulnDex Intel

Media Report

26.01.2026 15:00

Für Zugriff zu Vulnerability Intelligence ist ein VulnDex Zugang erforderlich.

VulnDex Intel

Media Report

09.01.2026 09:24

https://wiki.zimbra.com/wiki/Security_Center

Vendor Advisory

Release Notes

https://wiki.zimbra.com/wiki/Zimbra_Responsible_Disclosure_Policy

Product

https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-68645

US Government Resource

https://nvd.nist.gov/vuln/detail/CVE-2025-68645

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2025-68645

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2025-68645

EUVD

Team-orientierte Vulnerability Management Plattform

Features der Plattform

CVE-2025-68645

22.01.2026: CISA Known Exploited Vulnerabilities (KEV) Catalog