Critical Security Flaws Found in Zimbra Collaboration Software

February 10, 2025

Zimbra has released software updates to address critical security flaws in its Collaboration software, which, if successfully exploited, could result in information disclosure under certain conditions.

Vulnerability Details

The vulnerability, tracked as CVE-2025-25064, carries a CVSS score of 9.8 out of a maximum of 10.0. It has been described as an SQL injection bug in the ZimbraSync Service SOAP endpoint affecting versions prior to 10.0.12 and 10.1.4.

Exploitation Vector

Stemming from a lack of adequate sanitization of a user-supplied parameter, the shortcoming could be weaponized by authenticated attackers to inject arbitrary SQL queries that could retrieve email metadata by "manipulating a specific parameter in the request."

Affected Versions

Customers using versions prior to 10.0.12 and 10.1.4 are advised to update to the latest versions of Zimbra Collaboration to ensure optimal protection.

Additional Vulnerabilities

Zimbra also addressed another critical vulnerability related to stored cross-site scripting (XSS) in the Zimbra Classic Web Client. The flaw is yet to be assigned a CVE identifier.

Patch Information

The fix strengthens input sanitization and enhances security. The security defect has been patched in versions 9.0.0 Patch 44, 10.0.13, and 10.1.5.

SSRF Flaw

Another vulnerability addressed by Zimbra is CVE-2025-25065 (CVSS score: 5.3), a medium-severity server-side request forgery (SSRF) flaw in the RSS feed parser component that allows for unauthorized redirection to internal network endpoints.

Patch Information

The security defect has been patched in versions 9.0.0 Patch 43, 10.0.12, and 10.1.4.

Stay Informed

Customers are advised to update to the latest versions of Zimbra Collaboration to ensure optimal protection. Follow us on Twitter and LinkedIn to read more exclusive content we post.