CVE-2025-68645: Zimbra File Inclusion Under Attack

CVE ID: CVE-2025-68645

Severity: HIGH | CVSS: 8.8

Sources: 2 different security sources

Status: ACTIVELY EXPLOITED - Added to CISA KEV Catalog

Let Me Explain What Happened

Let me walk you through something important that's happening right now with Zimbra email servers. If your organization uses Zimbra Collaboration Suite versions 10.0 or 10.1, attackers have found a way to trick your email server into showing them files it shouldn't—files that could contain sensitive information or even let them take control of the system. Think of it like someone figuring out how to manipulate your building's directory system to get access to rooms they shouldn't be able to enter. What makes this particularly concerning is that CISA—the Cybersecurity and Infrastructure Security Agency—has confirmed that attackers are actively using this vulnerability in the wild right now.

A Bit More Detail

Here's what's going on under the hood. Zimbra's webmail interface has a component called the RestFilter servlet that handles web requests. When someone sends a request to the /h/rest endpoint, this servlet is supposed to carefully validate what the user is asking for. Unfortunately, the developers didn't put enough guardrails in place. An attacker can craft a special request that manipulates how Zimbra processes that request internally, causing it to include and potentially execute files from the WebRoot directory that should never be accessible. The really troubling part? They don't even need to log in first—this works for completely unauthenticated attackers.

The Technical Specifics

• Attack Vector: Network-based (CVSS: AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H)
• Affected Products: Zimbra Collaboration Suite (ZCS) versions 10.0 and 10.1 (Webmail Classic UI)
• Vulnerability Type: CWE-98 (Improper Control of Filename for Include/Require Statement in PHP Program) - also known as PHP Remote File Inclusion
• Authentication Required: None (PR:N) - Unauthenticated remote exploitation possible
• User Interaction: Required (UI:R) - Victim must interact with malicious request
• Impact Scope: High confidentiality, integrity, and availability impact
• Exploitation Status: Confirmed active exploitation as of January 22, 2026

Why This Matters So Much

Let me put this in perspective for you. When CISA adds a vulnerability to their Known Exploited Vulnerabilities (KEV) Catalog, it's not a theoretical exercise—it means they have concrete evidence that real attackers are using this flaw against real organizations right now. The KEV catalog is CISA's way of telling federal agencies and critical infrastructure operators: "Stop what you're doing and fix this immediately."

The combination of factors here is what security professionals call a "perfect storm." You have a vulnerability that doesn't require authentication, affects a widely-used enterprise email platform, and allows attackers to potentially read sensitive files or execute malicious code. Email servers are particularly attractive targets because they contain a treasure trove of business communications, credentials, and sensitive data. An attacker who successfully exploits this could potentially access email archives, configuration files containing passwords, or use the compromised server as a launching point for further attacks into your network.

Understanding the Attack Chain

Let me walk you through how an attacker might use this vulnerability. First, they identify a Zimbra server running version 10.0 or 10.1—this is often as simple as looking at HTTP headers or login pages. Next, they craft a malicious HTTP request to the /h/rest endpoint with carefully constructed parameters designed to manipulate the RestFilter servlet's internal request dispatching logic. Because the servlet doesn't properly validate these parameters, it can be tricked into including files from the WebRoot directory that should never be accessible to external users.

These files might include PHP configuration files, session data, or other sensitive information. In some scenarios, if the attacker can combine this with other techniques, they might even achieve remote code execution. The "User Interaction Required" aspect in the CVSS score suggests that some exploitation scenarios might involve tricking a legitimate user into clicking a malicious link, though the exact attack vectors being used in the wild haven't been publicly detailed yet.

What You Should Do About This

Here's my guidance, broken down into immediate actions and longer-term steps:

• Right Now (Emergency Response):
  • Identify your exposure: Immediately inventory all Zimbra Collaboration Suite installations in your environment. Focus specifically on versions 10.0 and 10.1. If you're not sure what version you're running, check your Zimbra admin console or run zmcontrol -v from the command line.
  • Monitor for exploitation attempts: Review your web server logs for unusual requests to the /h/rest endpoint, particularly those with suspicious parameters or path traversal attempts (look for patterns like ../ or encoded variations). Check for unexpected file access patterns in your WebRoot directory.
  • Consider temporary mitigations: If you cannot immediately patch, consider restricting access to the /h/rest endpoint at your web application firewall or reverse proxy level to only trusted IP addresses. This is not a permanent solution, but it can reduce your attack surface while you prepare to patch.
  • Review recent access: Look back through your logs for the past several weeks to identify any potential compromise that may have already occurred. Pay particular attention to any unusual file access, unexpected administrative actions, or suspicious email forwarding rules that might have been created.
• For Federal Agencies and Critical Infrastructure:
  • CISA's KEV catalog inclusion means Federal Civilian Executive Branch (FCEB) agencies must apply vendor-provided fixes by the deadline specified in CISA's directive (typically within days to weeks of KEV addition).
  • Even if you're not a federal agency, treating KEV-listed vulnerabilities with the same urgency is a security best practice that I strongly recommend.
• For the Long Term (Remediation):
  • Apply vendor patches: Visit the Zimbra Security Center at https://wiki.zimbra.com/wiki/Security_Center for the latest security updates and patch information. Zimbra typically releases patches for actively exploited vulnerabilities on an expedited basis.
  • Test before deploying: I know the urgency is high, but please test patches in a non-production environment first if at all possible. Email systems are critical infrastructure, and you want to ensure the patch doesn't cause unexpected issues with your specific configuration.
  • Upgrade if necessary: If patches aren't available for your specific version, you may need to consider upgrading to a newer, supported version of Zimbra. This is a good opportunity to review Zimbra's support lifecycle and ensure you're running a version that will continue to receive security updates.
  • Harden your configuration: Review Zimbra's security hardening guidelines. Ensure you're following best practices like running Zimbra with minimal privileges, keeping the WebRoot directory as restricted as possible, and implementing proper network segmentation.
  • Implement defense in depth: Don't rely solely on patching. Consider implementing web application firewall rules, intrusion detection signatures, and enhanced logging for your Zimbra infrastructure.

Detection and Hunting Guidance

For those of you with security operations teams, here are some specific things to look for:

• Web Server Log Analysis: Search for HTTP requests to paths containing /h/rest with unusual parameters, particularly those attempting path traversal or file inclusion patterns.
• SIEM Query Example (Generic): Look for requests where the URL contains /h/rest AND the query parameters contain suspicious patterns like ../, %2e%2e%2f (URL-encoded), or references to sensitive files like config, passwd, or .php.
• Network-based Detection: Monitor for unusual outbound connections from your Zimbra servers, which might indicate successful exploitation and command-and-control communication.
• File Integrity Monitoring: If you have FIM tools deployed, review alerts for unexpected changes to files in the Zimbra WebRoot directory or configuration files.

Going Deeper: The Broader Context

For those of you who want to understand the deeper technical and threat landscape context, let me share some additional insights. Local File Inclusion (LFI) vulnerabilities like this one fall under CWE-98, which describes situations where an application uses externally-influenced input to construct a pathname for file operations without properly validating that input. In PHP applications specifically, this often involves functions like include(), require(), or similar constructs that can be manipulated to include unintended files.

What makes this particularly dangerous in Zimbra's case is the combination of the vulnerability being in a widely-deployed enterprise collaboration platform and the fact that it's in the webmail interface—a component that's typically exposed to the internet by design. Zimbra is used by organizations worldwide, including government agencies, educational institutions, and businesses of all sizes. This makes it an attractive target for both opportunistic attackers and sophisticated threat actors.

The CVSS score of 8.8 (High severity) reflects the serious nature of this vulnerability. The score breaks down as follows: it's network-exploitable (AV:N), has low attack complexity (AC:L), requires no privileges (PR:N), but does require some user interaction (UI:R). The impact on confidentiality, integrity, and availability are all rated as High (C:H/I:H/A:H), meaning successful exploitation could lead to complete compromise of the affected system.

From a threat intelligence perspective, when CISA adds a vulnerability to the KEV catalog, it often means they're seeing exploitation attempts across multiple organizations or have received credible reports from trusted sources. While the specific threat actors exploiting this vulnerability haven't been publicly identified yet, LFI vulnerabilities in email systems are attractive to various threat actor types—from ransomware operators looking for initial access, to espionage-focused groups seeking to exfiltrate communications, to opportunistic attackers looking to compromise servers for botnet recruitment or cryptocurrency mining.

A Word of Encouragement

I know this kind of news can feel overwhelming, especially when you're already managing a hundred other security priorities. But here's the thing: the fact that you're reading this and taking the time to understand the vulnerability means you're already ahead of the curve. Many organizations won't even know they're affected until it's too late. By taking action now—inventorying your systems, monitoring for exploitation, and planning your patching strategy—you're doing exactly what needs to be done to protect your organization.

Remember, security is a journey, not a destination. Every vulnerability you address, every patch you apply, every detection rule you implement makes your environment that much more resilient. You've got this.

Where I Found This Information

• National Vulnerability Database (NVD) - CVE-2025-68645 (Authoritative technical details and CVSS scoring)
• CISA Known Exploited Vulnerabilities Catalog - CVE-2025-68645 (Credibility: 10 - Confirmation of active exploitation)
• CISA Alert: Four Known Exploited Vulnerabilities Added to Catalog (Credibility: 10 - Official government advisory)
• Zimbra Security Center (Vendor security information and updates)
• Zimbra Responsible Disclosure Policy (Vendor vulnerability reporting process)

Note: This is automated security intelligence based on multiple sources. Always test updates carefully before applying them everywhere. The information provided here is current as of the publication date, but the threat landscape evolves rapidly. Please check the vendor's security center and CISA's KEV catalog for the most up-to-date information and guidance.