CVE-2025-68645
Unknown Unknown - Not Provided
Local File Inclusion in Zimbra Webmail Allows File Disclosure

Publication date: 2025-12-22

Last updated on: 2025-12-22

Assigner: MITRE

Description
A Local File Inclusion (LFI) vulnerability exists in the Webmail Classic UI of Zimbra Collaboration (ZCS) 10.0 and 10.1 because of improper handling of user-supplied request parameters in the RestFilter servlet. An unauthenticated remote attacker can craft requests to the /h/rest endpoint to influence internal request dispatching, allowing inclusion of arbitrary files from the WebRoot directory.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-12-22
Last Modified
2025-12-22
Generated
2026-06-16
AI Q&A
2025-12-23
EPSS Evaluated
2026-06-15
NVD
CVE-2025-68645
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
zimbra collaboration 10.1
zimbra collaboration 10.0
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-98 The PHP application receives input from an upstream component, but it does not restrict or incorrectly restricts the input before its usage in "require," "include," or similar functions.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability is a Local File Inclusion (LFI) issue in the Webmail Classic UI of Zimbra Collaboration versions 10.0 and 10.1. It occurs because the RestFilter servlet improperly handles user-supplied request parameters. An unauthenticated remote attacker can send crafted requests to the /h/rest endpoint, which can manipulate internal request dispatching and cause arbitrary files from the WebRoot directory to be included.

Impact Analysis

The vulnerability can allow an unauthenticated remote attacker to include arbitrary files from the WebRoot directory, potentially exposing sensitive information, compromising confidentiality, integrity, and availability of the system. This can lead to data breaches, unauthorized access, and disruption of services.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-68645. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart