Zimbra Under Siege: High-Severity LFI Vulnerability Exposes Internal Files to Unauthenticated Attackers

Administrators of the popular Zimbra Collaboration Suite (ZCS) are being urged to patch immediately after the discovery of two distinct security vulnerabilities. The most severe of the pair allows unauthenticated attackers to exploit the “Classic” Webmail interface to read internal files, potentially exposing sensitive server data to the open internet.

The flaws, tracked as CVE-2025-68645 and CVE-2025-67809, affect the 10.0 and 10.1 branches of the platform.

The headliner of this security bulletin is CVE-2025-68645, a high-severity Local File Inclusion (LFI) vulnerability carrying a CVSS score of 8.8.

The issue resides in the Webmail Classic UI, specifically within the RestFilter servlet. Due to improper handling of user requests, the system fails to adequately sanitize input sent to the /h/rest endpoint.

“An unauthenticated remote attacker can craft requests to the /h/rest endpoint to influence internal request dispatching,” reads the CVE description.

This oversight allows attackers to trick the server into including arbitrary files from the WebRoot directory. Because the attack requires no authentication, any server exposing the Webmail Classic interface to the internet is potentially at risk of having its internal application files harvested by automated scanners.

The second vulnerability serves as a textbook example of a hardcoded credential risk. Tracked as CVE-2025-67809 (CVSS 4.7), this flaw involves the Flickr Zimlet—an integration tool used by Zimbra to connect with the photo-sharing service.

Researchers discovered that the developers had embedded the Flickr API key and secret directly into the Zimlet’s code, making them publicly accessible.

“Because these credentials are embedded directly in the Zimlet, any unauthorized party could retrieve them and misuse the Flickr integration,” the NIST notes.

Armed with these keys, an attacker could impersonate the legitimate Zimbra application and initiate valid OAuth login flows. If they successfully trick a user into approving the request, they could gain unauthorized access to that user’s private Flickr data.

The vendors have since revoked the compromised key and removed the hardcoded secrets from the codebase.

Zimbra has released updates to squash both bugs. Administrators should upgrade their deployments to the following versions immediately:

• Zimbra Collaboration 10.1.13
• Zimbra Collaboration 10.0.18

With the LFI vulnerability allowing unauthenticated access, organizations are advised to prioritize this update to prevent potential reconnaissance or data leakage operations by opportunistic threat actors.

Related Posts:

• Critical Zimbra Flaw Fixed: Patch Addresses Multiple Stored XSS and Unauthenticated LFI in Mail Client
• Zimbra Issues Emergency Patch for Critical SSRF Vulnerability in Chat Proxy Configuration
• Zimbra Email Servers Under Attack: CISA Flags CVE-2024-45519 as Actively Exploited
• Active Exploits Target Zimbra Collaboration: Over 19K Systems Vulnerable to CVE-2024-45519
• PoC Exploit Releases for Zimbra RCE Flaw CVE-2024-45519: Mass Exploitation Detected