CVE-2025-68645

HighCISA KEVActive Exploitation

Published: 22 December 2025

Published

22 December 2025

Modified

23 January 2026

KEV Added

22 January 2026

Patch

—

CVSS Score 8.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

EPSS Score 0.5607 98.1th percentile

Risk Priority 71 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-68645 is a high-severity PHP Remote File Inclusion (CWE-98) vulnerability in Synacor Zimbra Collaboration Suite. Its CVSS base score is 8.8 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 1.9% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploit Public-Facing Application (T1190). What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match

prevent

SI-2 requires timely flaw remediation, directly addressing the LFI vulnerability by applying vendor patches for affected ZCS versions.

SI-10 Information Input Validation good match

prevent

SI-10 mandates validation of user-supplied request parameters in the RestFilter servlet to prevent path traversal and arbitrary file inclusion from WebRoot.

SC-7 Boundary Protection partial match

prevent

SC-7 enforces boundary protection to inspect and block crafted unauthenticated requests to the /h/rest endpoint exploiting the LFI vulnerability.

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

Why these techniques?

The LFI vulnerability in the public-facing Zimbra Webmail application directly enables exploitation of a public-facing application (T1190) via crafted requests to the /h/rest endpoint, often delivered through user interaction like phishing links.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

NVD Description

A Local File Inclusion (LFI) vulnerability exists in the Webmail Classic UI of Zimbra Collaboration (ZCS) 10.0 and 10.1 because of improper handling of user-supplied request parameters in the RestFilter servlet. An unauthenticated remote attacker can craft requests to the…

/h/rest endpoint to influence internal request dispatching, allowing inclusion of arbitrary files from the WebRoot directory.

Deeper analysisAI

CVE-2025-68645 is a Local File Inclusion (LFI) vulnerability, mapped to CWE-98, affecting the Webmail Classic UI in Zimbra Collaboration Suite (ZCS) versions 10.0 and 10.1. The flaw arises from improper handling of user-supplied request parameters within the RestFilter servlet, enabling attackers to manipulate internal request dispatching. Published on 2025-12-22, it carries a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H), reflecting high potential impact across confidentiality, integrity, and availability.

An unauthenticated remote attacker can exploit the vulnerability by crafting requests to the /h/rest endpoint, tricking a user into interacting with a malicious payload—such as clicking a link in a phishing email. Successful exploitation allows inclusion of arbitrary files from the WebRoot directory, potentially exposing sensitive configuration data, source code, or other server files, depending on directory contents and permissions.

Zimbra's Security Center wiki and Responsible Disclosure Policy provide relevant advisory details on patches and mitigation steps. The vulnerability also appears in CISA's Known Exploited Vulnerabilities catalog, signaling real-world exploitation by threat actors. Security practitioners should prioritize patching affected ZCS instances and monitor for anomalous /h/rest requests.