Zimbra Webmail Classic UI Local File Inclusion Vulnerability
A high-severity Local File Inclusion (LFI) vulnerability has been identified in the Webmail Classic UI of Zimbra Collaboration Suite (ZCS) versions 10.0 and 10.1. The flaw, tracked as CVE-2025-68645, arises from improper handling of user-supplied request parameters in the RestFilter servlet, allowing unauthenticated remote attackers to craft requests to the /h/rest endpoint and include arbitrary files from the WebRoot directory. This vulnerability exposes internal files to attackers, potentially leading to the disclosure of sensitive information and further compromise of affected Zimbra installations.
Security researchers have highlighted the risk that this LFI vulnerability poses, as it can be exploited without authentication and may serve as a stepping stone for more advanced attacks. Organizations using Zimbra Collaboration Suite are urged to review their deployments and apply any available patches or mitigations to prevent exploitation. The vulnerability has been assigned a CVSS 3.1 score of 8.8, reflecting its high impact and ease of exploitation.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
2 events from the most recent confirmed update back to the earliest known activity.
Public reporting warns of unauthenticated file access risk in Zimbra
Subsequent security reporting highlighted that the Zimbra LFI issue could let unauthenticated attackers access internal files and expose sensitive information on affected servers. The coverage emphasized the urgency of patching to reduce the risk of data exposure and further exploitation.
CVE-2025-68645 published for Zimbra Webmail Classic UI LFI flaw
A high-severity local file inclusion vulnerability affecting Zimbra Collaboration Suite 10.0 and 10.1 was published as CVE-2025-68645. The flaw in the RestFilter servlet allows unauthenticated remote attackers to use the /h/rest endpoint to include arbitrary files from the WebRoot directory.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
2 references tracked. Mallory keeps watching after this page renders.
See the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Zimbra Zero-Day Exploited via Malicious ICS Files Targeting Brazilian Military
A critical security vulnerability in Zimbra Collaboration Suite, tracked as CVE-2025-27915, was exploited as a zero-day in targeted cyberattacks against the Brazilian military. The flaw, a stored cross-site scripting (XSS) vulnerability in the Classic Web Client, resulted from insufficient sanitization of HTML content in ICS (iCalendar) calendar files. Attackers leveraged this vulnerability by sending malicious ICS files embedded with JavaScript code, which executed when a user viewed an email containing the crafted calendar entry. The JavaScript payload enabled arbitrary code execution within the victim's session, allowing attackers to perform unauthorized actions such as setting email filters to redirect messages to attacker-controlled addresses. This facilitated data exfiltration, including the theft of credentials, emails, contacts, and shared folders from compromised Zimbra accounts. The malicious campaign involved threat actors spoofing the Libyan Navy's Office of Protocol to deliver the exploit to Brazilian military targets. The ICS files used in the attack were notably large and contained obfuscated JavaScript, often encoded in Base64 to evade detection. The payload was designed to operate asynchronously and utilized Immediately Invoked Function Expressions (IIFEs) for execution. Researchers at StrikeReady Labs discovered the attack by monitoring for unusually large ICS attachments containing JavaScript. The campaign began at the start of January 2025, prior to Zimbra releasing patches for the vulnerability. Zimbra addressed the issue in versions 9.0.0 Patch 44, 10.0.13, and 10.1.5, released on January 27, 2025, but did not initially disclose that the vulnerability had been exploited in the wild. The attack also included mechanisms to hide certain user interface elements, further reducing the likelihood of detection by end users. The malicious script searched for emails in specific folders and added filter rules named "Correo" to forward messages to a ProtonMail address controlled by the attackers. The exfiltrated data was sent to an external server, ffrk[.]net, under the attackers' control. The exploitation of this vulnerability highlights the risks associated with insufficient input sanitization in webmail platforms and the effectiveness of social engineering tactics, such as spoofing trusted entities. The incident underscores the importance of timely patching and monitoring for anomalous file attachments in email systems. Security researchers recommend organizations using Zimbra Collaboration Suite apply the latest patches and review email filtering rules for signs of compromise. The attack demonstrates the evolving sophistication of threat actors in leveraging zero-day vulnerabilities for targeted espionage campaigns against high-value organizations.
Mar 21, 2026
Actively Exploited Zimbra XSS Leaves Over 10,000 Servers Exposed
More than 10,000 internet-exposed **Zimbra Collaboration Suite** servers remain vulnerable to `CVE-2025-48700`, an actively exploited cross-site scripting flaw that affects ZCS versions `8.8.15`, `9.0`, `10.0`, and `10.1`. The bug lets unauthenticated attackers execute arbitrary JavaScript in a victim’s session and steal sensitive data when a user opens a malicious email in the **Zimbra Classic UI**. Synacor released patches in June 2025, but Shadowserver still reported roughly **10,500** exposed unpatched systems, with the largest concentrations in Asia and Europe. **CISA** has added `CVE-2025-48700` to its **Known Exploited Vulnerabilities** catalog and ordered Federal Civilian Executive Branch agencies to secure affected servers within days because the flaw is being abused in the wild. The warning follows a broader pattern of Zimbra vulnerabilities being used in espionage-focused campaigns, with reporting linking earlier exploitation of similar flaws to Russian-aligned groups including **APT28**, **APT29**, and **Winter Vivern** against Ukrainian entities, NATO-aligned organizations, and other targets.
Apr 28, 2026
Zimbra 10.1.16 Security Update Patches XSS, XXE, and Authenticated LDAP Injection
Zimbra released **version 10.1.16** with a strong recommendation that administrators upgrade immediately, citing high-severity issues and deployment risk. The update addresses multiple injection-class vulnerabilities affecting the collaboration suite, including **cross-site scripting (XSS)** in *Webmail* and *Briefcase* that could enable session hijacking and data theft via malicious script injection in a user’s browser. The release also patches an **XML External Entity (XXE)** flaw in the **EWS SOAP endpoint**, which could potentially be abused for local file disclosure, denial-of-service conditions, or **SSRF** depending on environment and parser behavior, and fixes an **authenticated LDAP injection** issue where insufficient sanitization could allow a logged-in user to manipulate LDAP queries to access or influence directory data. In addition to these targeted fixes, Zimbra reports broader hardening such as **stronger CSRF protections** through improved token validation, alongside other security-related stability adjustments.
Mar 21, 2026