Cyber Resilience

CVE-2025-68645

HighCISA KEVActive ExploitationEUVD Exploited

Published: 22 December 2025

Published
22 December 2025
Modified
23 January 2026
KEV Added
22 January 2026
Patch
CVSS Score v3.1 8.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
EPSS Score 0.3177 98.1th percentile
Risk Priority 57 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-68645 is a high-severity PHP Remote File Inclusion (CWE-98) vulnerability in Synacor Zimbra Collaboration Suite. Its CVSS base score is 8.8 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 1.9% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2025-68645 is a Local File Inclusion (LFI) vulnerability, mapped to CWE-98, affecting the Webmail Classic UI in Zimbra Collaboration Suite (ZCS) versions 10.0 and 10.1. The flaw arises from improper handling of user-supplied request parameters within the RestFilter servlet, enabling attackers to manipulate internal request dispatching. Published on 2025-12-22, it carries a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H), reflecting high potential impact across confidentiality, integrity, and availability.

An unauthenticated remote attacker can exploit the vulnerability by crafting requests to the /h/rest endpoint, tricking a user into interacting with a malicious payload—such as clicking a link in a phishing email. Successful exploitation allows inclusion of arbitrary files from the WebRoot directory, potentially exposing sensitive configuration data, source code, or other server files, depending on directory contents and permissions.

Zimbra's Security Center wiki and Responsible Disclosure Policy provide relevant advisory details on patches and mitigation steps. The vulnerability also appears in CISA's Known Exploited Vulnerabilities catalog, signaling real-world exploitation by threat actors. Security practitioners should prioritize patching affected ZCS instances and monitor for anomalous /h/rest requests.

EU & UK References

Vulnerability details

A Local File Inclusion (LFI) vulnerability exists in the Webmail Classic UI of Zimbra Collaboration (ZCS) 10.0 and 10.1 because of improper handling of user-supplied request parameters in the RestFilter servlet. An unauthenticated remote attacker can craft requests to the…

more

/h/rest endpoint to influence internal request dispatching, allowing inclusion of arbitrary files from the WebRoot directory.

CWE(s)
KEV Date Added
22 January 2026

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

The LFI vulnerability in the public-facing Zimbra Webmail application directly enables exploitation of a public-facing application (T1190) via crafted requests to the /h/rest endpoint, often delivered through user interaction like phishing links.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2025-66376Same product: Synacor Zimbra Collaboration Suiteboth on KEV
CVE-2025-25064Same product: Synacor Zimbra Collaboration Suite
CVE-2025-27915Same product: Synacor Zimbra Collaboration Suiteboth on KEV
CVE-2026-33373Same product: Synacor Zimbra Collaboration Suite
CVE-2025-68461Same product class: email / collaborationboth on KEV
CVE-2026-42897Same product class: email / collaborationboth on KEV
CVE-2021-26855Same product class: email / collaborationboth on KEV
CVE-2021-34473Same product class: email / collaborationboth on KEV
CVE-2022-41082Same product class: email / collaborationboth on KEV
CVE-2023-5631Same product class: email / collaborationboth on KEV

Affected Assets

synacor
zimbra collaboration suite
10.0.0 — 10.0.18 · 10.1.0 — 10.1.13

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

SI-2 requires timely flaw remediation, directly addressing the LFI vulnerability by applying vendor patches for affected ZCS versions.

prevent

SI-10 mandates validation of user-supplied request parameters in the RestFilter servlet to prevent path traversal and arbitrary file inclusion from WebRoot.

prevent

SC-7 enforces boundary protection to inspect and block crafted unauthenticated requests to the /h/rest endpoint exploiting the LFI vulnerability.

References