AI description
CVE-2025-68645 is a Local File Inclusion (LFI) vulnerability found in the Webmail Classic UI of Zimbra Collaboration (ZCS) versions 10.0 and 10.1. This vulnerability stems from the improper handling of user-supplied request parameters in the RestFilter servlet. An unauthenticated remote attacker can exploit this vulnerability by crafting requests to the `/h/rest` endpoint. This allows the attacker to influence internal request dispatching, leading to the inclusion of arbitrary files from the WebRoot directory.
- Description
- A Local File Inclusion (LFI) vulnerability exists in the Webmail Classic UI of Zimbra Collaboration (ZCS) 10.0 and 10.1 because of improper handling of user-supplied request parameters in the RestFilter servlet. An unauthenticated remote attacker can craft requests to the /h/rest endpoint to influence internal request dispatching, allowing inclusion of arbitrary files from the WebRoot directory.
- Source
- cve@mitre.org
- NVD status
- Analyzed
- Products
- zimbra_collaboration_suite
CVSS 3.1
- Type
- Secondary
- Base score
- 8.8
- Impact score
- 5.9
- Exploitability score
- 2.8
- Vector string
- CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
- Severity
- HIGH
Data from CISA
- Vulnerability name
- Synacor Zimbra Collaboration Suite (ZCS) PHP Remote File Inclusion Vulnerability
- Exploit added on
- Jan 22, 2026
- Exploit action due
- Feb 12, 2026
- Required action
- Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.
- 134c704f-9b21-4f2e-91b3-4a467353bcc0
- CWE-98
- Hype score
- Not currently trending
🛡️ Heads up! Cloudflare WAF is adding new protections against Zimbra & Vite vulnerabilities (CVE-2025-68645 & CVE-2025-31125) on Feb 9th. Stay secure with our proactive threat detection! 🚀 https://t.co/0IT2wg9qnr
@mveracf
6 Feb 2026
45 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
🚨 This week’s CrowdSec Threat Alert article highlights CVE-2025-68645 (LFI) and CVE-2022-27926 (XSS), actively exploited in the wild against Zimbra Collaboration servers. Explore attack details, threat trends, and mitigation steps in the article 👉 https://t.co/A6Fz6QCJVD
@Crowd_Security
2 Feb 2026
225 Impressions
1 Retweet
2 Likes
0 Bookmarks
0 Replies
0 Quotes
CISA has confirmed that a critical vulnerability in Synacor Zimbra Collaboration Suite (ZCS) poses significant risks to organizations worldwide. This PHP remote file inclusion flaw, tracked as CVE-2025-68645, allows attackers to manipulate the /h/rest endpoint to include
@ox0ffff
31 Jan 2026
82 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
CVE-2025-68645: Zimbra LFI—unauth file read via /h/rest. Five-line exploit. Patch available since Nov 2025, exploitation active since Jan 14. Attackers pulling /etc/passwd and OAuth tokens. You sat on the patch for 2 months. Now you're hosting their mail server.
@CisoRaging77913
30 Jan 2026
49 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
🚨 CISA alert: Hackers are actively exploiting Zimbra, Versa, Vite & Prettier! CVE-2025-68645 (Zimbra) now in the Known Exploited Vulnerabilities catalog. Patch ASAP! 🛡️ #CyberSecurity #CISA #ZeroDay
@NewsLive360
25 Jan 2026
14 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
The recent disclosure of CVE-2025-68645 in Synacor Zimbra Collaboration Suite highlights a critical juncture where geopolitical tensions and cyber conflict intersect. As nation-states and advanced persistent threat groups escalate their focus on critical infrastructure and
@ox0ffff
25 Jan 2026
39 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
CVE-2025-68645 CVE-2025-34026 CVE-2025-31125 CVE-2025-54313 CISA Updates KEV Catalog with Four Actively Exploited Software Vulnerabilities Jan 23, 2026 https://t.co/8V92lYMDDx
@tdatwja
24 Jan 2026
317 Impressions
0 Retweets
3 Likes
0 Bookmarks
1 Reply
0 Quotes
The recent CISA KEV entry for CVE-2025-68645 in Synacor Zimbra Collaboration Suite highlights a critical juncture in the evolving cyber-geopolitical landscape. While the vulnerability itself is technical, its implications align with patterns observed in state-sponsored cyber
@ox0ffff
23 Jan 2026
69 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
CISA KEV update: 4 vulnerabilities are confirmed exploited in the wild: Versa Concerto (CVE-2025-34026), Zimbra Classic UI (CVE-2025-68645), Vite dev server exposure (CVE-2025-31125), and a eslint-config-prettier supply chain trojan (CVE-2025-54313). What to patch and check:
@Anavem_
23 Jan 2026
786 Impressions
1 Retweet
2 Likes
0 Bookmarks
0 Replies
0 Quotes
‼️CISA has added 5 vulnerabilities to the KEV Catalog https://t.co/9idGUAHIKd CVE-2024-37079: Broadcom VMware vCenter Server Out-of-bounds Write Vulnerability CVE-2025-68645: Synacor Zimbra Collaboration Suite (ZCS) PHP Remote File Inclusion Vulnerability CVE-2025-34026:
@DarkWebInformer
23 Jan 2026
2470 Impressions
5 Retweets
18 Likes
5 Bookmarks
1 Reply
0 Quotes
Jan 23, 2026 🚨 CISA has added four actively exploited vulnerabilities to its KEV catalog, including CVE-2025-68645 in Synacor ZCS (CVSS 8.8). Organizations must prioritize patching to mitigate risks. https://t.co/gfMqhqEvV8
@kernyx64
23 Jan 2026
65 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
Latest Known Exploited Vulnerabilities (#KEV) : #CVE-2025-68645 #Synacor Zimbra Collaboration Suite (ZCS) PHP Remote File Inclusion Vulnerability https://t.co/7wRVoLAXlt
@ScyScan
23 Jan 2026
42 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
csirt_it: La Settimana Cibernetica del 11 gennaio 2026 🔹aggiornamenti per molteplici prodotti 🔹 Zimbra: PoC pubblico per lo sfruttamento della CVE-2025-68645 🔹 Ni8mare: PoC pubblico per lo sfruttamento di una vulnerabilità in n8n ⚠️ #EPSS 🔗 … https://t.co/xA
@Vulcanux_
12 Jan 2026
97 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
La Settimana Cibernetica del 11 gennaio 2026 🔹aggiornamenti per molteplici prodotti 🔹 Zimbra: PoC pubblico per lo sfruttamento della CVE-2025-68645 🔹 Ni8mare: PoC pubblico per lo sfruttamento di una vulnerabilità in n8n ⚠️ #EPSS 🔗 https://t.co/iHFDivTJpZ https
@csirt_it
12 Jan 2026
213 Impressions
0 Retweets
1 Like
0 Bookmarks
0 Replies
0 Quotes
⚠️ Vulnerabilidad en productos Zimbra ❗ CVE-2025-68645 ➡️ Más info: https://t.co/SQvZ9kDmbd https://t.co/nkQ2pDWOk4
@CERTpy
9 Jan 2026
141 Impressions
1 Retweet
0 Likes
0 Bookmarks
0 Replies
0 Quotes
csirt_it: ‼ #Zimbra: Proof of Concept (#PoC) per lo sfruttamento della vulnerabilità CVE-2025-68645 relativa a #ZCS (Zimbra Collaboration Suite), risulta disponibile in rete Rischio: 🟠 🔗 https://t.co/5tfdGhJMng ⚠ Importante aggiornare i prodotti i… https://t.co/lf
@Vulcanux_
8 Jan 2026
45 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
‼ #Zimbra: Proof of Concept (#PoC) per lo sfruttamento della vulnerabilità CVE-2025-68645 relativa a #ZCS (Zimbra Collaboration Suite), risulta disponibile in rete Rischio: 🟠 🔗 https://t.co/Q421IuIbvg ⚠ Importante aggiornare i prodotti interessati https://t.co/sC9Vh
@csirt_it
8 Jan 2026
6 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
zimbramail-CVE-2025-68645-poc https://t.co/jh0ylYqySN
@MBlacksolo
3 Jan 2026
121 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
🚨 Plugin update: ZimbraPlugin (CVE-2025-68645). Zimbra Collaboration Suite 10.0 and 10.1 affected by unauthenticated LFI vulnerability. Results: https://t.co/saXK96Y4XS https://t.co/xPIAmxApz4
@leak_ix
2 Jan 2026
713 Impressions
4 Retweets
5 Likes
0 Bookmarks
0 Replies
0 Quotes
🚨 BREAKING: Zimbra Webmail 0-Day LFI Exploit Dropped! 🚨 PoC for CVE-2025-68645 is now public! A critical Local File Inclusion flaw in Zimbra 10.0/10.1 Classic UI. #hacking #cybersecurity #infosec https://t.co/j04SYCmlTY
@TheExploitLab
1 Jan 2026
37 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
C'est la fête du mail 😭 ⚠ SmarterMail CVE-2025-52691 🡇Téléversement pré-auth de fichier /api/upload Detect https://t.co/L062in71SZ ⚠ Zimbra CVE-2025-68645 🡅Téléchargement pré-auth de fichier PoC http://cible/h/rest?javax.servlet.include.servlet_path=/WEB-INF
@mynameisv_
31 Dec 2025
92 Impressions
0 Retweets
2 Likes
0 Bookmarks
0 Replies
0 Quotes
/h/rest is not only router to exploit #CVE-2025-68645
@Hibawb6CJ01179
31 Dec 2025
91 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
🚨 CVE-2025-68645 - high 🚨 Zimbra Collaboration - Local File Inclusion > Zimbra Collaboration (ZCS) 10.0 and 10.1 contain a local file inclusion caused by imp... 👾 https://t.co/rJeusagtdG @pdnuclei #NucleiTemplates #cve
@pdnuclei_bot
31 Dec 2025
386 Impressions
3 Retweets
6 Likes
0 Bookmarks
0 Replies
0 Quotes
CVE-2025-68645 poc http://127.0.0.1/h/rest?javax.servlet.include.servlet_path=/WEB-INF/web.xml #CVE
@sirifu4k1
30 Dec 2025
17281 Impressions
24 Retweets
108 Likes
84 Bookmarks
1 Reply
1 Quote
CVE-2025-68645 poc? it's really hard to repeat it.
@Hibawb6CJ01179
29 Dec 2025
102 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
Zimbra patches a high-severity LFI (CVE-2025-68645) allowing unauthenticated file access and a Flickr Zimlet credential leak. Upgrade to v10.1.13! #Zimbra #ZCS #CyberSecurity #LFI #Infosec #Vulnerability #PatchNow #CVE202568645 https://t.co/uMlKDhk5iS
@the_yellow_fall
25 Dec 2025
1851 Impressions
11 Retweets
38 Likes
13 Bookmarks
0 Replies
0 Quotes
🟠 CVE-2025-68645 - High A Local File Inclusion (LFI) vulnerability exists in the Webmail Classic UI of Zimbra Collaboration (ZCS) 10.0 and 10.1 because of improper handling of user-supplied request parameters in the... https://t.co/u3D9ie1HV4 https://t.co/BeI5VSNMxX
@TheHackerWire
22 Dec 2025
32 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
[
{
"nodes": [
{
"negate": false,
"cpeMatch": [
{
"criteria": "cpe:2.3:a:synacor:zimbra_collaboration_suite:*:*:*:*:*:*:*:*",
"vulnerable": true,
"matchCriteriaId": "7D423DB3-FCD4-445F-A778-BC5F83E01953",
"versionEndExcluding": "10.0.18",
"versionStartIncluding": "10.0.0"
},
{
"criteria": "cpe:2.3:a:synacor:zimbra_collaboration_suite:*:*:*:*:*:*:*:*",
"vulnerable": true,
"matchCriteriaId": "7C3F6B1E-1671-461B-A093-7B6854C227FE",
"versionEndExcluding": "10.1.13",
"versionStartIncluding": "10.1.0"
}
],
"operator": "OR"
}
]
}
]