Zimbra Issues Emergency Patch for Critical SSRF Vulnerability in Chat Proxy Configuration

Zimbra has released an emergency security patch (version 10.1.12) to address a critical Server-Side Request Forgery (SSRF) vulnerability in its chat proxy configuration, urging all administrators to update immediately. The flaw, if left unpatched, could allow attackers to manipulate internal server requests, potentially leading to data exposure, system compromise, or service disruption.

“This patch fixes a critical security vulnerability related to a Server-Side Request Forgery (SSRF) in the chat proxy configuration. We recommend all users and administrators, especially those on Zimbra versions 10.1.5 to 10.1.11, to apply this update immediately,” the advisory warned.

Server-Side Request Forgery (SSRF) vulnerabilities occur when an attacker tricks a server into making unauthorized requests — often to internal systems or external URLs — that should be inaccessible.

In Zimbra’s chat proxy component, this could allow threat actors to:

• Access internal network resources,
• Retrieve sensitive metadata, or
• Use the server as a pivot for further attacks.

Zimbra vulnerabilities are often exploited by hackers in targeted attacks. Earlier this year, threat actors exploited an unpatched zero-day vulnerability (CVE-2025-27915) — a cross-site scripting (XSS) flaw in Zimbra Collaboration Suite (ZCS) versions 9.0, 10.0, and 10.1 — to deploy malicious JavaScript payloads through .ICS calendar files.

ICS (iCalendar) files are plain-text formats used for storing and exchanging event data between applications, but the vulnerability stemmed from insufficient sanitization of HTML content, allowing arbitrary JavaScript execution in user sessions.

According to the advisory, the patch — Zimbra 10.1.12, released on October 16, 2025 — not only fixes the SSRF flaw but also includes stability and synchronization improvements.

Administrators upgrading from versions 10.1.5 through 10.1.11 are strongly encouraged to apply this update to maintain system integrity.

Those upgrading from 10.1.3 or earlier must ensure the latest zimbra-lds-patch package is installed. After upgrading, administrators are required to reactivate their license using the following command:

zmlicense -a <license_key>

Additionally, in multi-server environments, only the proxy node servers will display the 10.1.12 version tag, while other nodes may continue showing 10.1.11.

Related Posts:

• Zimbra Email Servers Under Attack: CISA Flags CVE-2024-45519 as Actively Exploited
• Active Exploits Target Zimbra Collaboration: Over 19K Systems Vulnerable to CVE-2024-45519
• PoC Exploit Releases for Zimbra RCE Flaw CVE-2024-45519: Mass Exploitation Detected
• Zimbra XSS Zero-Day (CVE-2025-27915) Actively Exploited; CISA Adds to KEV Catalog
• Zimbra Collaboration Suite Vulnerability Could Allow Unauthenticated Access