Summary
CVE-2025-68645 is a critical Local File Inclusion (LFI) flaw in Zimbra Collaboration Suite’s Webmail Classic UI. Improper request handling in the RestFilter servlet lets unauthenticated attackers access files from the WebRoot. It affects ZCS 10.0.x (before 10.0.18) and 10.1.x (before 10.1.13). An immediate upgrade is recommended.
Urgent Actions Required
- Apply the latest Zimbra security updates by upgrading Zimbra Collaboration Suite to ZCS 10.0.18 or ZCS 10.1.13 (or later), or implement vendor-recommended mitigations immediately.
- If updates or mitigations cannot be applied, discontinue use of the affected Zimbra components as required.
- Ensure compliance with CISA BOD 22-01 by completing remediation no later than February 12, 2026.
Which Systems Are Vulnerable to CVE‑2025‑68645?
Technical Overview
- Vulnerability Type: Local File Inclusion (LFI) via RestFilter Servlet
- Affected Software/Versions:
- Versions 10.0.x before 10.0.18
- Versions 10.1.x before 10.1.13
- Attack Vector: Network (HTTP/HTTPS)
- CVSS Vector: v3.1
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: Required
- Scope: Unchanged
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High
- Patch Availability: Yes, available
Zimbra released security updates that include a fix for the local file inclusion vulnerability (CVE-2025-68645) in ZCS 10.0.18 and ZCS 10.1.13 on November 06, 2025.
Security Center - Zimbra :: Tech Center
How Does the CVE‑2025‑68645 Exploit Work?
The attack typically follows these steps:
What Causes CVE‑2025‑68645?
Vulnerability Root Cause:
This issue originates from improper handling of usersupplied request parameters within the RestFilter servlet in Zimbra Collaboration Suite’s Webmail Classic UI. The servlet does not adequately validate or sanitize these inputs, allowing crafted requests sent to the /h/rest endpoint to alter internal request dispatching. The application can expose files from the WebRoot directory without needing authentication.
How Can You Mitigate CVE‑2025‑68645?
If immediate patching is delayed or not possible:
- Restrict public access to the /h/rest endpoint to limit exposure.
- Disable the Webmail Classic UI if it is not required.
- Review WebRoot directory permissions and remove or restrict access to sensitive files.
- Monitor logs for unusual or suspicious requests to /h/rest.
Which Assets and Systems Are at Risk?
- Asset Types Affected:
- Email & Collaboration Platforms – Zimbra Collaboration Suite (ZCS) deployments using the Webmail Classic UI
- Webmail Interfaces – Internetaccessible Zimbra web clients exposing the /h/rest endpoint
- Business-Critical Systems at Risk:
- Enterprise Email Systems – Risk of exposure of internal files used by mail services
- Collaboration Infrastructure – Potential leakage of configuration files or internal paths supporting messaging and collaboration workflows
- Exposure Level:
- InternetFacing Zimbra Servers – Systems where the Webmail Classic UI is publicly accessible
- Unauthenticated Access Paths – Deployments allowing external access to the /h/rest endpoint without additional restrictions
Will Patching CVE‑2025‑68645 Cause Downtime?
Patch application impact: Applying the fix requires upgrading Zimbra Collaboration Suite to ZCS 10.0.18 or ZCS 10.1.13 and later. The update may require planned maintenance, depending on the deployment model and upgrade process in use.
How Can You Detect CVE‑2025‑68645 Exploitation?
- Exploitation Signatures:
Potential exploitation attempts involve crafted HTTP requests sent to the /h/rest endpoint. These requests manipulate request parameters used by the RestFilter servlet to alter internal request routing and force inclusion of files located under the Zimbra WebRoot directory. - Indicators of Compromise (IOCs/IOAs):
- Repeated or unusual access attempts to the /h/rest endpoint
- Requests attempting to reference internal paths under the WebRoot directory
- Server responses exposing configuration files, internal paths, or unexpected application data
- Access to normally restricted deployment or configuration files
- Behavioral Indicators:
- Unauthenticated requests resulting in successful file inclusion
- Exposure of internal application files through normal web responses
- Abnormal request dispatch behavior within the Zimbra Webmail Classic UI
- Alerting Strategy:
- Priority: High
- Trigger alerts for:
- Monitor web and application logs for suspicious activity targeting the /h/rest endpoint
- Flag unauthenticated requests that result in file content disclosure
- Investigate repeated probing of Zimbra WebRoot paths or unexpected file access patterns
Remediation & Response
- Remediation Timeline:
- Immediate: Apply Zimbra security updates or vendor-recommended mitigations.
- By Feb 12, 2026: Upgrade all affected systems to ZCS 10.0.18 or 10.1.13+.
- After update: Confirm no vulnerable ZCS 10.0.x or 10.1.x versions remain.
- Rollback Plan:
If issues arise during the upgrade process, revert to the previously deployed stable Zimbra version and reassess mitigation measures until the patch can be safely reapplied. Document rollback actions according to internal changemanagement procedures. - Incident Response Considerations:
- Review web and application logs for suspicious activity involving the /h/rest endpoint.
- Identify any unauthenticated requests that may have resulted in file inclusion from the WebRoot directory.
- Assess whether sensitive configuration files, internal paths, or application data were exposed.
- After applying updates, continue monitoring for abnormal access patterns targeting Zimbra web endpoints.
Compliance & Governance Notes
- Audit Trail Requirement:
- Log and review requests to the /h/rest endpoint, as exploitation relies on crafted requests targeting this path.
- Monitor for unauthenticated access attempts that result in file inclusion from the Zimbra WebRoot directory.
- Track patch deployment status for Zimbra Collaboration Suite instances, ensuring upgrades to ZCS 10.0.18 or ZCS 10.1.13 and later are completed.
- Policy Alignment:
- Follow vendor guidance from Zimbra and CISA for mitigation and remediation of KEVlisted vulnerabilities.
- Restrict exposure of Zimbra web interfaces where possible, especially if Classic UI is not required.
- Discontinue use of affected versions if security updates or mitigations cannot be applied, as advised by CISA.
CVSS Breakdown Table
| Metric | Value | Description |
|---|---|---|
| Base Score | 8.8 | Indicates a highseverity vulnerability with significant security impact |
| Attack Vector | Network | The flaw can be exploited remotely over network-accessible Zimbra endpoints |
| Attack Complexity | Low | Exploitation does not require complex conditions or a specialized setup |
| Privileges Required | None | The attacker does not need authentication or prior access |
| User Interaction | Required | Exploitation requires user interaction |
| Scope | UnChanged | The impact is confined to the affected Zimbra application component |
| Confidentiality Impact | High | Arbitrary file inclusion can expose sensitive files and internal paths |
| Integrity Impact | High | Exploitation may enable manipulation or misuse of application behavior |
| Availability Impact | High | Successful abuse can significantly affect service stability or operations |
References:
