【Vulnerability Alert】A Critical Security Vulnerability Has Been Identified in Zimbra Collaboration Suite (CVE-2025-68645)

publish date : 2025-12-29 update date : 2025-12-29

Source: Ministry of education information & communication security contingency platform

"" "" ""

Publication Number TACERT-ANA-2025122401121313 Publication Time 2025/12/24 13:37
Incident Type ANA-Vulnerability Alert Discovery Time 2025/12/24 13:37
Impact Level Low  
[Subject]
【Vulnerability Alert】A Critical Security Vulnerability Has Been Identified in Zimbra Collaboration Suite (CVE-2025-68645)

[Content]
Forwarded from TWCERTCC-200-202512-00000014

A critical Local File Inclusion (LFI) vulnerability has been identified in the Webmail Classic UI of the email server system Zimbra Collaboration Suite, assigned CVE-2025-68645 (CVSS: 8.8). This vulnerability arises from improper handling of user-supplied request parameters by the RestFilter Servlet.

Unauthenticated remote attackers can send requests to the /h/rest endpoint, thereby affecting internal request dispatching and enabling the inclusion of arbitrary files within the WebRoot directory.

(Information Sharing Level: WHITE (Information content can be publicly disclosed)
[Affected Platform]
Zimbra Collaboration Suite version 10.0 Zimbra Collaboration Suite version 10.1
[Recommended Actions]
Apply the remediation measures in accordance with the solution released on the official website.
[Reference]
https://www.twcert.org.tw/tw/cp-169-10593-468c8-1.html
(This notification is for informational purposes only and does not constitute a cybersecurity incident).
If you have questions or suggestions regarding this notification, please feel free to contact us.
Ministry of education information & communication security contingency platform
Website: https://info.cert.tanet.edu.tw/
Phone: +886-7-5250211
Internet Phone: 98400000
E-Mail: service@cert.tanet.edu.tw
Organizer: Computer Center