[CDP-development] TLP:GREEN Vulnerability Alert Notification: CVE-2025-68645: Unauthenticated Local File Inclusion in Zimbra Collaboration Suite

Thu Jan 22 15:24:40 PST 2026

Good afternoon,

The SOC Services team is reporting on the vulnerability: CVE-2025-68645 affecting Zimbra Collaboration Suite (ZCS). Because this vulnerability allows for unauthenticated remote file access and has seen significant interest in the security community due to its ease of exploitation, we are providing this in-depth information.

History: Disclosed on December 22, 2025, this vulnerability was identified in the RestFilter servlet of the Zimbra Webmail Classic UI. The CVSS v3.1 base score is 8.8 (High)
Affected Versions

  *   Zimbra Collaboration Suite 10.0.x Webmail Classic UI
  *   Zimbra Collaboration Suite 10.1.x Webmail Classic UI
Fixed Versions

  *   Zimbra Collaboration Suite 10.0.18 and later
  *   Zimbra Collaboration Suite 10.1.13 and later
For more information directly from Vite please see the link here: Zimbra Security Advisory - CVE-2025-68645<https://wiki.zimbra.com/wiki/Zimbra_Security_Advisories>
Intelligence: As of January 22, 2026, CISA has confirmed the vulnerability as being exploited in the wild and has added it to the Known Exploited Vulnerabilities Catalog.
Exploitability Level: Low Complexity, Network Exploitability
Complexity: Low
User Interaction: Required
Remotely Exploitable: Yes
Proof of Concept: Publicly available (Nuclei templates and technical discussions exist)
Zero Day: No
Workarounds: Disable the Classic UI if it is not required for your organization; Implement network-level restrictions to block external access to the /h/rest endpoint or reverse proxy.
How it Works: An unauthenticated remote attacker can craft requests to the /h/rest endpoint to influence internal request dispatching, allowing the inclusion of arbitrary files from the WebRoot directory
Post-Exploit Impact: Information Disclosure: Exposure of sensitive configuration files, environment data, or internal credentials (CWE:CWE-200) and Arbitrary File Inclusion: Ability to include and view internal files like /WEB-INF/web.xml (CWE:CWE-98).
Indicators of Compromise (IoCs):
Type
Value
Description / Notes
Source
Log Pattern
GET /h/rest? javax.servlet.include.servlet_path=/WEB-INF/web.xml
Monitor logs for unexpected calls to the rest endpoint attempting to access internal configuration files
ProjectDiscovery
Tenable Plugins: As of January 22, 2026, Tenable has not released any plugins for the vulnerability and has no plugins in the pipeline.
Recommended Actions:
Date Added to KEV Catalog: 01/22/2026
Due Date for Remediation: 02/12/2026

  *   Identify all Zimbra instances running vulnerable Webmail Classic UI versions
  *   Apply vendor-provided patches or upgrade to fixed releases as soon as possible
  *   Verify host has not been compromised before applying patches.
  *   Apply appropriate updates provided by the vendor to vulnerable systems after testing.
  *   Run all software as a non-privileged user to reduce the impact of a successful attack.
  *   Apply the Principle of Least Privilege to all systems and services.

[cid:image003.png at 01DC8BB2.8FCF0160]
Cyber Security Services
State of Oregon Cyber Security Services
Enterprise Information Services | SOC
Cyber Security Services (CSS)
SOC Hotline: (503) 378-5930 | SOC Services (503) 373-0378

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://omls.oregon.gov/pipermail/cdp-development/attachments/20260122/03f34605/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image003.png
Type: image/png
Size: 21907 bytes
Desc: image003.png
URL: <https://omls.oregon.gov/pipermail/cdp-development/attachments/20260122/03f34605/attachment-0001.png>