CVE-2025-25064
Published: 03 February 2025
Summary
CVE-2025-25064 is a high-severity SQL Injection (CWE-89) vulnerability in Synacor Zimbra Collaboration Suite. Its CVSS base score is 8.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 2.2% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Deeper analysis
CVE-2025-25064 is a SQL injection vulnerability in the ZimbraSync Service SOAP endpoint of Zimbra Collaboration versions 10.0.x prior to 10.0.12 and 10.1.x prior to 10.1.4. It stems from insufficient sanitization of a user-supplied parameter, allowing arbitrary SQL queries to be injected via the affected endpoint and potentially exposing email metadata.
Authenticated attackers with valid credentials can exploit the flaw over the network by crafting malicious requests that manipulate the vulnerable parameter. Successful exploitation grants the ability to retrieve sensitive email metadata, with the issue carrying a CVSS 3.1 score of 8.8 reflecting high impact on confidentiality, integrity, and availability.
Zimbra's release notes for versions 10.0.12 and 10.1.4, along with the vendor's security advisories page, document the fixes applied to address this and related issues in the affected releases. The current EPSS score of 0.4776 with a peak of 0.4829 shows no material rise from a low baseline.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-4006
Vulnerability details
SQL injection vulnerability in the ZimbraSync Service SOAP endpoint in Zimbra Collaboration 10.0.x before 10.0.12 and 10.1.x before 10.1.4 due to insufficient sanitization of a user-supplied parameter. Authenticated attackers can exploit this vulnerability by manipulating a specific parameter in the…
more
request, allowing them to inject arbitrary SQL queries that could retrieve email metadata.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
SQL injection in network-accessible ZimbraSync SOAP endpoint directly enables exploitation of public-facing application (T1190).
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly addresses the insufficient sanitization of user-supplied parameters in the SOAP endpoint by requiring validation to prevent SQL injection attacks.
Mandates timely flaw remediation through patching to upgraded Zimbra versions 10.0.12 or 10.1.4, eliminating the SQL injection vulnerability.
Boundary protection mechanisms like web application firewalls can inspect and block SQL injection payloads targeting the ZimbraSync SOAP endpoint.