Zimbra Collaboration, a popular open-source email and collaboration software, was recently discovered to include critical vulnerabilities that pose serious risks to its users.
These vulnerabilities, identified as CVE-2025-25064 and CVE-2025-25065, allow attackers to exploit the system for unauthorized access to sensitive data and internal network resources.
Zimbra has issued patches to address these flaws, and users are strongly urged to update their systems immediately.
Overview of the Zimbra Vulnerabilities
CVE-2025-25064 – SQL Injection Vulnerability
A critical SQL injection vulnerability, identified as CVE-2025-25064, has been discovered in Zimbra Collaboration.
This flaw affects versions 10.0.x prior to 10.0.12 and 10.1.x prior to 10.1.4. The vulnerability stems from inadequate sanitization of user-provided input within the ZimbraSync Service SOAP endpoint.
Successful exploitation by authenticated attackers could allow the injection of arbitrary SQL queries, potentially leading to the exposure of sensitive email metadata and other confidential information.
Users are strongly advised to immediately mitigate this risk by updating their Zimbra Collaboration installations to version 10.0.12 or 10.1.4, as appropriate.
CVE-2025-25065 – Server-Side Request Forgery – SSRF) Vulnerability
A Server-Side Request Forgery (SSRF) vulnerability, tracked as CVE-2025-25065, has been identified in Zimbra Collaboration.
This flaw impacts versions 9.0.0 prior to Patch 43, 10.0.x before 10.0.12, and 10.1.x before 10.1.4.
The vulnerability resides within the RSS feed parser, enabling attackers to potentially redirect requests to internal network endpoints without proper authorization.
The recommended mitigation is to apply the latest available patches for the affected Zimbra versions.
Historical Context of Zimbra Vulnerabilities
Zimbra has been a frequent target for cybercriminals due to its extensive deployment across businesses and organizations worldwide. For instance:
In late 2024, CVE-2024-45519, a remote code execution (RCE) vulnerability in the postjournal service, was exploited in the wild shortly after its proof-of-concept (PoC) was released.
Another notable flaw, CVE-2023-37580, involved cross-site scripting (XSS) attacks on the Zimbra Classic Web Client, compromising user confidentiality and integrity.
Technical Fixes in Recent Patches
Zimbra has released multiple patches addressing these vulnerabilities:
Patch for CVE-2025-25064 and CVE-2025-25065: Strengthens input sanitization and mitigates exploitation risks.
Updates for older vulnerabilities like CVE-2019-9641 (heap-based buffer overflow in PHP <7.3.10) and XXE CWE-611 (CVE-2013-7217) have also been integrated into recent releases.
Administrators are encouraged to use commands like yum update or apt update to apply these patches promptly.
Recommendations for Users
- Upgrade to the latest versions: Zimbra Daffodil 10.1.5, 10.0.13, or 9.0.0 Patch 44.
- Regularly scan systems using tools like Qualys with detection signatures (e.g., QID 378721 for XSS vulnerabilities).
- Monitor logs for abnormal activity such as malformed CC fields or suspicious outbound connections.
- Restrict access to Zimbra servers from untrusted networks.
- Regularly review security configurations and apply updates as soon as they are available.
This underscores the importance of maintaining up-to-date software in mitigating cybersecurity risks. Organizations relying on Zimbra Collaboration should act swiftly to patch their systems and safeguard sensitive data against potential exploitation.
PCI DSS 4.0 & Supply Chain Attack Prevention – Free Webinar