CVE-2025-68645

Published Dec 22, 2025

Last updated 3 months ago

Exploit knownCVSS high 8.8
web application
API
Network
Zimbra ZCS
Port (443)
Zero-day

Overview

Description
A Local File Inclusion (LFI) vulnerability exists in the Webmail Classic UI of Zimbra Collaboration (ZCS) 10.0 and 10.1 because of improper handling of user-supplied request parameters in the RestFilter servlet. An unauthenticated remote attacker can craft requests to the /h/rest endpoint to influence internal request dispatching, allowing inclusion of arbitrary files from the WebRoot directory.
Source
cve@mitre.org
NVD status
Analyzed
Products
zimbra_collaboration_suite

Risk scores

CVSS 3.1

Type
Secondary
Base score
8.8
Impact score
5.9
Exploitability score
2.8
Vector string
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Severity
HIGH

Known exploits

Data from CISA

Vulnerability name
Synacor Zimbra Collaboration Suite (ZCS) PHP Remote File Inclusion Vulnerability
Exploit added on
Jan 22, 2026
Exploit action due
Feb 12, 2026
Required action
Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.

Weaknesses

134c704f-9b21-4f2e-91b3-4a467353bcc0
CWE-98

Social media

Hype score
Not currently trending

  1. 🛡️ Alerta de Seguridad: Synacor Zimbra Collaboration Suite (ZCS) PHP Remote File Inclusion Vulnerability (CVE-2025-68645) Synacor Zimbra Collaboration Suite (ZCS) contiene una vulnerabilidad de inclusión remota de archivos PHP (CWE-98) en el endpoint /h/rest, permitiendo a

    @CiberPlanetaOrg

    16 Mar 2026

    7 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  2. 🔔 New Outbreak Alert: #FortiGuardLabs confirmed an actively exploited Local File Inclusion (LFI) vulnerability in #Zimbra Collaboration Suite Webmail Classic UI (CVE-2025-68645) allowing unauthenticated attackers to expose sensitive configuration files and application data. G

    @FortiGuardLabs

    26 Feb 2026

    429 Impressions

    0 Retweets

    4 Likes

    1 Bookmark

    0 Replies

    0 Quotes

  3. 🛡️ Heads up! Cloudflare WAF is adding new protections against Zimbra & Vite vulnerabilities (CVE-2025-68645 & CVE-2025-31125) on Feb 9th. Stay secure with our proactive threat detection! 🚀 https://t.co/0IT2wg9qnr

    @mveracf

    6 Feb 2026

    45 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  4. 🚨 This week’s CrowdSec Threat Alert article highlights CVE-2025-68645 (LFI) and CVE-2022-27926 (XSS), actively exploited in the wild against Zimbra Collaboration servers. Explore attack details, threat trends, and mitigation steps in the article 👉 https://t.co/A6Fz6QCJVD

    @Crowd_Security

    2 Feb 2026

    225 Impressions

    1 Retweet

    2 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  5. CISA has confirmed that a critical vulnerability in Synacor Zimbra Collaboration Suite (ZCS) poses significant risks to organizations worldwide. This PHP remote file inclusion flaw, tracked as CVE-2025-68645, allows attackers to manipulate the /h/rest endpoint to include

    @ox0ffff

    31 Jan 2026

    82 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  6. CVE-2025-68645: Zimbra LFI—unauth file read via /h/rest. Five-line exploit. Patch available since Nov 2025, exploitation active since Jan 14. Attackers pulling /etc/passwd and OAuth tokens. You sat on the patch for 2 months. Now you're hosting their mail server.

    @CisoRaging77913

    30 Jan 2026

    49 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  7. 🚨 CISA alert: Hackers are actively exploiting Zimbra, Versa, Vite & Prettier! CVE-2025-68645 (Zimbra) now in the Known Exploited Vulnerabilities catalog. Patch ASAP! 🛡️ #CyberSecurity #CISA #ZeroDay

    @NewsLive360

    25 Jan 2026

    14 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  8. The recent disclosure of CVE-2025-68645 in Synacor Zimbra Collaboration Suite highlights a critical juncture where geopolitical tensions and cyber conflict intersect. As nation-states and advanced persistent threat groups escalate their focus on critical infrastructure and

    @ox0ffff

    25 Jan 2026

    39 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  9. CVE-2025-68645 CVE-2025-34026 CVE-2025-31125 CVE-2025-54313 CISA Updates KEV Catalog with Four Actively Exploited Software Vulnerabilities Jan 23, 2026 https://t.co/8V92lYMDDx

    @tdatwja

    24 Jan 2026

    317 Impressions

    0 Retweets

    3 Likes

    0 Bookmarks

    1 Reply

    0 Quotes

  10. The recent CISA KEV entry for CVE-2025-68645 in Synacor Zimbra Collaboration Suite highlights a critical juncture in the evolving cyber-geopolitical landscape. While the vulnerability itself is technical, its implications align with patterns observed in state-sponsored cyber

    @ox0ffff

    23 Jan 2026

    69 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  11. CISA KEV update: 4 vulnerabilities are confirmed exploited in the wild: Versa Concerto (CVE-2025-34026), Zimbra Classic UI (CVE-2025-68645), Vite dev server exposure (CVE-2025-31125), and a eslint-config-prettier supply chain trojan (CVE-2025-54313). What to patch and check:

    @Anavem_

    23 Jan 2026

    786 Impressions

    1 Retweet

    2 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  12. ‼️CISA has added 5 vulnerabilities to the KEV Catalog https://t.co/9idGUAHIKd CVE-2024-37079: Broadcom VMware vCenter Server Out-of-bounds Write Vulnerability CVE-2025-68645: Synacor Zimbra Collaboration Suite (ZCS) PHP Remote File Inclusion Vulnerability CVE-2025-34026:

    @DarkWebInformer

    23 Jan 2026

    2470 Impressions

    5 Retweets

    18 Likes

    5 Bookmarks

    1 Reply

    0 Quotes

  13. Jan 23, 2026 🚨 CISA has added four actively exploited vulnerabilities to its KEV catalog, including CVE-2025-68645 in Synacor ZCS (CVSS 8.8). Organizations must prioritize patching to mitigate risks. https://t.co/gfMqhqEvV8

    @kernyx64

    23 Jan 2026

    65 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  14. Latest Known Exploited Vulnerabilities (#KEV) : #CVE-2025-68645 #Synacor Zimbra Collaboration Suite (ZCS) PHP Remote File Inclusion Vulnerability https://t.co/7wRVoLAXlt

    @ScyScan

    23 Jan 2026

    42 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  15. csirt_it: La Settimana Cibernetica del 11 gennaio 2026 🔹aggiornamenti per molteplici prodotti 🔹 Zimbra: PoC pubblico per lo sfruttamento della CVE-2025-68645 🔹 Ni8mare: PoC pubblico per lo sfruttamento di una vulnerabilità in n8n ⚠️ #EPSS 🔗 … https://t.co/xA

    @Vulcanux_

    12 Jan 2026

    97 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  16. La Settimana Cibernetica del 11 gennaio 2026 🔹aggiornamenti per molteplici prodotti 🔹 Zimbra: PoC pubblico per lo sfruttamento della CVE-2025-68645 🔹 Ni8mare: PoC pubblico per lo sfruttamento di una vulnerabilità in n8n ⚠️ #EPSS 🔗 https://t.co/iHFDivTJpZ https

    @csirt_it

    12 Jan 2026

    213 Impressions

    0 Retweets

    1 Like

    0 Bookmarks

    0 Replies

    0 Quotes

  17. ⚠️ Vulnerabilidad en productos Zimbra ❗ CVE-2025-68645 ➡️ Más info: https://t.co/SQvZ9kDmbd https://t.co/nkQ2pDWOk4

    @CERTpy

    9 Jan 2026

    141 Impressions

    1 Retweet

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  18. csirt_it: ‼ #Zimbra: Proof of Concept (#PoC) per lo sfruttamento della vulnerabilità CVE-2025-68645 relativa a #ZCS (Zimbra Collaboration Suite), risulta disponibile in rete Rischio: 🟠 🔗 https://t.co/5tfdGhJMng ⚠ Importante aggiornare i prodotti i… https://t.co/lf

    @Vulcanux_

    8 Jan 2026

    45 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  19. ‼ #Zimbra: Proof of Concept (#PoC) per lo sfruttamento della vulnerabilità CVE-2025-68645 relativa a #ZCS (Zimbra Collaboration Suite), risulta disponibile in rete Rischio: 🟠 🔗 https://t.co/Q421IuIbvg ⚠ Importante aggiornare i prodotti interessati https://t.co/sC9Vh

    @csirt_it

    8 Jan 2026

    6 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  20. zimbramail-CVE-2025-68645-poc https://t.co/jh0ylYqySN

    @MBlacksolo

    3 Jan 2026

    121 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  21. 🚨 Plugin update: ZimbraPlugin (CVE-2025-68645). Zimbra Collaboration Suite 10.0 and 10.1 affected by unauthenticated LFI vulnerability. Results: https://t.co/saXK96Y4XS https://t.co/xPIAmxApz4

    @leak_ix

    2 Jan 2026

    713 Impressions

    4 Retweets

    5 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  22. 🚨 BREAKING: Zimbra Webmail 0-Day LFI Exploit Dropped! 🚨 PoC for CVE-2025-68645 is now public! A critical Local File Inclusion flaw in Zimbra 10.0/10.1 Classic UI. #hacking #cybersecurity #infosec https://t.co/j04SYCmlTY

    @TheExploitLab

    1 Jan 2026

    37 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  23. C'est la fête du mail 😭 ⚠ SmarterMail CVE-2025-52691 🡇Téléversement pré-auth de fichier /api/upload Detect https://t.co/L062in71SZ ⚠ Zimbra CVE-2025-68645 🡅Téléchargement pré-auth de fichier PoC http://cible/h/rest?javax.servlet.include.servlet_path=/WEB-INF

    @mynameisv_

    31 Dec 2025

    92 Impressions

    0 Retweets

    2 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  24. /h/rest is not only router to exploit #CVE-2025-68645

    @Hibawb6CJ01179

    31 Dec 2025

    91 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  25. 🚨 CVE-2025-68645 - high 🚨 Zimbra Collaboration - Local File Inclusion > Zimbra Collaboration (ZCS) 10.0 and 10.1 contain a local file inclusion caused by imp... 👾 https://t.co/rJeusagtdG @pdnuclei #NucleiTemplates #cve

    @pdnuclei_bot

    31 Dec 2025

    386 Impressions

    3 Retweets

    6 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  26. CVE-2025-68645 poc http://127.0.0.1/h/rest?javax.servlet.include.servlet_path=/WEB-INF/web.xml #CVE

    @sirifu4k1

    30 Dec 2025

    17281 Impressions

    24 Retweets

    108 Likes

    84 Bookmarks

    1 Reply

    1 Quote

  27. CVE-2025-68645 poc? it's really hard to repeat it.

    @Hibawb6CJ01179

    29 Dec 2025

    102 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  28. Zimbra patches a high-severity LFI (CVE-2025-68645) allowing unauthenticated file access and a Flickr Zimlet credential leak. Upgrade to v10.1.13! #Zimbra #ZCS #CyberSecurity #LFI #Infosec #Vulnerability #PatchNow #CVE202568645 https://t.co/uMlKDhk5iS

    @the_yellow_fall

    25 Dec 2025

    1851 Impressions

    11 Retweets

    38 Likes

    13 Bookmarks

    0 Replies

    0 Quotes

  29. 🟠 CVE-2025-68645 - High A Local File Inclusion (LFI) vulnerability exists in the Webmail Classic UI of Zimbra Collaboration (ZCS) 10.0 and 10.1 because of improper handling of user-supplied request parameters in the... https://t.co/u3D9ie1HV4 https://t.co/BeI5VSNMxX

    @TheHackerWire

    22 Dec 2025

    32 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

Configurations

Related CVEs

  1. Adobe Acrobat and Reader Prototype Pollution VulnerabilityCVE-2026-34621
  2. Fortinet FortiClient EMS Improper Access Control VulnerabilityCVE-2026-35616
  3. A specific endpoint allows authenticated users to pivot to other user profiles by modifying the id number in the API call.CVE-2026-25197
  4. Suricata is a network IDS, IPS and NSM engine. Prior to version 7.0.15, inefficiency in DCERPC buffering can lead to a performance degradation. This issue has been patched in version 7.0.15.CVE-2026-31937
  5. Google Dawn Use-After-Free VulnerabilityCVE-2026-5281

References

Sources include official advisories and independent security research.