Vulnerability Identifier

CVE-2025-68645

2025-12-22

Severity Assessment

8.8

HIGH

CVSS v3.x Score

CISA KEV Active Alert

Date Added

01 Jan 1970

Due Date

N/A

Required Action

Apply updates per vendor instructions.

Clinical Analysis (Description)

A Local File Inclusion (LFI) vulnerability exists in the Webmail Classic UI of Zimbra Collaboration (ZCS) 10.0 and 10.1 because of improper handling of user-supplied request parameters in the RestFilter servlet. An unauthenticated remote attacker can craft requests to the /h/rest endpoint to influence internal request dispatching, allowing inclusion of arbitrary files from the WebRoot directory.

Vector Sequencing

Attack Parameters

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

Required

Impact Consequences

Technical Impact

Unchanged

Scope

High

Confidentiality

High

Integrity

High

Availability

AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Weakness Classification

CWE-CWE-98

View CWE Details ↗

Affected Population

Affected Configurations

Total: 24 detected entries

Software List Scrollable

zimbra_collaboration_suite

Vendor: synacor • v10.0.10

zimbra_collaboration_suite

Vendor: synacor • v10.0.13

zimbra_collaboration_suite

Vendor: synacor • v10.0.4

zimbra_collaboration_suite

Vendor: synacor • v10.0.8

zimbra_collaboration_suite

Vendor: synacor • v10.1.7

zimbra_collaboration_suite

Vendor: synacor • v10.0.5

zimbra_collaboration_suite

Vendor: synacor • v10.1.5

zimbra_collaboration_suite

Vendor: synacor • v10.0.14

zimbra_collaboration_suite

Vendor: synacor • v10.1.1

zimbra_collaboration_suite

Vendor: synacor • v10.0.6

zimbra_collaboration_suite

Vendor: synacor • v10.0.11

zimbra_collaboration_suite

Vendor: synacor • v10.0.7

zimbra_collaboration_suite

Vendor: synacor • v10.1.2

zimbra_collaboration_suite

Vendor: synacor • v10.0.0

zimbra_collaboration_suite

Vendor: synacor • v10.1.4

zimbra_collaboration_suite

Vendor: synacor • v10.0.1

zimbra_collaboration_suite

Vendor: synacor • v10.0.9

zimbra_collaboration_suite

Vendor: synacor • v10.0.2

zimbra_collaboration_suite

Vendor: synacor • v10.1.0

zimbra_collaboration_suite

Vendor: synacor • v10.0.3

zimbra_collaboration_suite

Vendor: synacor • v10.1.8

zimbra_collaboration_suite

Vendor: synacor • v10.0.12

zimbra_collaboration_suite

Vendor: synacor • v10.1.3

zimbra_collaboration_suite

Vendor: synacor • v10.1.6

Timeline

Time Line

PUBLICATION

22 Dec 2025

MODIFICATION

23 Jan 2026

Impact Statistics

Key Metrics

CVSS Score

8.8

HIGH

Products

Affected

Articles

Published

Active Exploitation Confirmed

Remediation Protocol

Immediate Action Plan

1. Inventory

Identify all affected systems in your infrastructure.

2. Assessment

Assess exposure and criticality for your organization.

3. Mitigation

Apply patches or available workarounds.

4. Verification

Test and confirm effectiveness of applied measures.

⚠️ MAXIMUM PRIORITY - Immediate action required

Sources & Bibliography

NIST NVD MITRE CVE External Reference ↗ External Reference ↗ External Reference ↗

CVE Vulnerabilities

Posts & Pages

CVE-2025-68645

CISA KEV Active Alert

Attack Parameters

Technical Impact

CWE-CWE-98

Affected Configurations

Time Line

Key Metrics

Recommended Solution

Related News Articles

CISA ajoute quatre vulnérabilités actuellement exploitées au catalogue KEV

CISA Adds Four Active Exploited Software Vulnerabilities to KEV Catalog

Immediate Action Plan

1. Inventory

2. Assessment

3. Mitigation

4. Verification