CVE-2025-68645

What is Zimbra Collaboration Suite?

Zimbra Collaboration Suite (ZCS) is a widely deployed enterprise email and collaboration platform used by businesses, government agencies, universities, and internet service providers worldwide. Zimbra provides webmail, calendar, contacts, and file sharing — often deployed on-premises and internet-accessible for remote users. The Classic UI (used in older ZCS versions and on older browsers) is served via servlet-based Java handlers.

Zimbra has been a persistent target for advanced threat actors. APT28 (Fancy Bear) exploited Zimbra XSS zero-days in 2022–2023 for diplomatic espionage. Winter Vivern targeted Zimbra webmail in European government organizations. Chinese APTs have also targeted Zimbra deployments in Asia-Pacific.

Overview

CVE-2025-68645 is a local file inclusion (LFI) vulnerability — cataloged as CWE-98 (PHP Remote File Inclusion, though the mechanism is Java servlet path traversal) — in the Zimbra Classic UI's RestFilter servlet at the /h/rest endpoint. The endpoint improperly handles request parameters used for internal request dispatching, allowing an unauthenticated attacker to craft requests that include arbitrary files from the ZCS WebRoot directory. Sensitive configuration files, session data, and credentials stored in the WebRoot are exposed. CISA added the vulnerability to the KEV catalog on January 22, 2026, alongside the eslint supply chain attack and Versa Concerto vulnerability — all three confirmed as active exploitation within the same reporting period.

Affected Versions

Technical Details

The RestFilter servlet (accessible at /h/rest) is part of the Zimbra Classic UI used for handling REST-based requests in the web client. The servlet uses request parameters to determine which internal resource handler to dispatch to. The vulnerability is an improper restriction of how these parameters are used for internal request routing — allowing an attacker to supply a traversal sequence that causes the servlet to include arbitrary files from the ZCS WebRoot directory.

Files accessible via this LFI include:

• ZCS configuration files containing database credentials and LDAP bind passwords
• Zimbra session token files and authentication data
• JSP and servlet source files
• Any other file within or accessible relative to the WebRoot directory

The attacker submits a specially crafted GET request to /h/rest with manipulated parameters that cause the server to return the contents of the targeted file in the HTTP response — all without authentication.

Key characteristics:

• No authentication required
• User interaction required (UI:R in CVSS) — the victim must make a request to the crafted URL (e.g., by clicking a phishing link to the Zimbra server) for some exploitation vectors; however, direct server-to-attacker exfiltration is possible without user interaction in certain configurations
• Targets the WebRoot — any file within the application's file-serving scope is potentially readable

Discovery

Reported December 22, 2025, with PoC published on GitHub shortly after. Exploitation began in mid-January 2026.

Exploitation Context

Active exploitation began shortly after the CVE publication in December 2025. CISA added the vulnerability to the KEV catalog on January 22, 2026. Zimbra's history of APT targeting (APT28, Winter Vivern, Chinese APTs) suggests that state-sponsored actors were early adopters of this exploit for email surveillance operations. Exposed credentials from ZCS configuration files enable full mailbox access and lateral movement within target organizations.

Remediation

1. Upgrade to ZCS 10.0.18 or 10.1.13 immediately. The CISA deadline was February 12, 2026.
2. Rotate all credentials stored in ZCS configuration: MySQL/MariaDB database passwords, LDAP bind credentials, S/MIME certificate keys, and any API integration tokens.
3. Review ZCS access logs for unexpected GET requests to /h/rest with traversal sequences from external IP addresses.
4. Check for account compromise indicators: unexpected email forwarding rules, new authorized devices, or access from unusual geographic locations in ZCS admin audit logs.
5. Restrict internet access to the Zimbra webmail interface where possible — place it behind a WAF with rules blocking path traversal patterns.
6. Apply Zimbra security patches promptly in future — Zimbra's quarterly patch cycle and history of targeting means unpatched instances quickly become exploitation targets.