Critical Vulnerabilities in Zimbra System: Attackers May Gain Unauthorized Access to Internal Resources

In today’s world, cybersecurity issues are highly relevant, and information systems, especially corporate email services, are constantly under threat. Zimbra Collaboration—a widely used open-source email and collaboration software—has become a primary target for cybercriminals. Recently, critical vulnerabilities, CVE-2025-25064 and CVE-2025-25065, were discovered in this software, posing a significant security risk.

CVE-2025-25064 – SQL Injection Vulnerability

The CVE-2025-25064 vulnerability, related to SQL Injection, has been identified in certain versions of Zimbra Collaboration:

• Versions 10.0.x (all versions prior to 10.0.12);
• Versions 10.1.x (all versions prior to 10.1.4).

This vulnerability arises from improper validation of user input in the ZimbraSync Service SOAP endpoint. An authenticated attacker could exploit this flaw by sending specially crafted SQL queries, potentially leading to the exposure of confidential data, including email metadata.

Mitigation Measures:

• Immediately update Zimbra Collaboration to version 10.0.12 or 10.1.4.
• Strengthen input validation and sanitization to prevent SQL injection attacks.

CVE-2025-25065 – Server-Side Request Forgery (SSRF) Vulnerability

The CVE-2025-25065 vulnerability, related to SSRF (Server-Side Request Forgery), affects the following Zimbra Collaboration versions:

• Version 9.0.0 (all versions prior to Patch 43);
• Versions 10.0.x (all versions prior to 10.0.12);
• Versions 10.1.x (all versions prior to 10.1.4).

This flaw resides in the RSS feed parser, allowing attackers to redirect requests to internal network endpoints without proper authorization. As a result, cybercriminals can leverage the Zimbra server to access internal network services, gather information about their configuration, and potentially exploit other vulnerabilities.

Mitigation Measures:

• Apply the latest security patches immediately.
• Restrict access to internal network resources and enforce strong authentication for critical services.

Historical Context of Zimbra Vulnerabilities

Zimbra has been a frequent target for cybercriminals, and attackers have actively exploited its vulnerabilities in the past. Notable incidents include:

• CVE-2024-45519 — In late 2024, a Remote Code Execution (RCE) vulnerability in the PostJournal service was discovered and actively exploited shortly after a proof-of-concept (PoC) was released.
• CVE-2023-37580 — A Cross-Site Scripting (XSS) vulnerability was found in the Zimbra Classic Web Client, putting user data at risk.

These incidents highlight the importance of continuous security monitoring and timely updates for Zimbra users.

Security Patches Released by Zimbra

Zimbra developers have issued patches to address the following vulnerabilities:

• Fixes for CVE-2025-25064 and CVE-2025-25065 — Input validation mechanisms have been strengthened to reduce exploitation risks.
• Fixes for older vulnerabilities — Recent updates also include patches for CVE-2019-9641 (a heap-based buffer overflow in PHP <7.3.10) and CVE-2013-7217 (an XXE vulnerability).

Administrators are advised to promptly update their systems using the following commands:

yum update  
apt update

To minimize attack risks, users should implement the following security measures:

✔ Update to the latest software versions — Use Zimbra Daffodil 10.1.5, 10.0.13, or 9.0.0 Patch 44.

✔ Utilize security scanning tools — Regularly scan systems with tools like Qualys, which can detect potential threats (e.g., QID 378721 for XSS vulnerabilities).

✔ Monitor system logs — Watch for unusual log activity, such as malformed CC fields or suspicious outbound connections.

✔ Restrict access to Zimbra servers — Allow connections only from trusted networks.

✔ Regularly review security configurations — Perform routine security audits and apply updates as soon as they become available.

The recently discovered vulnerabilities in Zimbra Collaboration present a significant security threat, as one allows SQL injection-based data breaches, while the other enables unauthorized access to internal resources through SSRF attacks. The developers have already released security patches, and all users must update their systems immediately to prevent potential data breaches. By keeping software up to date and following cybersecurity best practices, organizations can better protect sensitive information and mitigate security risks.