📄 Zimbra Collaboration 10.0 / 10.1 Local File Inclusion

8.8 / 10

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Description

This is a proof of concept exploiting a local file inclusion vulnerability existing in the Webmail Classic UI of Zimbra Collaboration ZCS versions 10.0 and 10.1. The issue is due to improper handling of user-supplied request parameters in the...

Visit Original Source

Basic Information

ID PACKETSTORM:213358

Published Jan 2, 2026 at 00:00

Affected Product

Affected Versions # zimbramail-CVE-2025-68645-poc

A proof-of-concept exploiting a Local File Inclusion (LFI) vulnerability existing in the Webmail Classic UI of Zimbra Collaboration (ZCS) 10.0 and 10.1 because of improper handling of user-supplied request parameters in the RestFilter servlet.

# Vulnerability

The vulnerability exists due to improper input validation in the RestFilter servlet. An unauthenticated remote attacker can craft requests to the /h/rest endpoint to influence internal request dispatching, allowing inclusion of arbitrary files from the WebRoot directory.

- User-controlled parameters are not correctly sanitized.
- Internal request routing can be manipulated.
- Arbitrary files under the WebRoot directory may be included in server responses.

# Affected Versions

- Zimbra versions 10.0.x prior to 10.0.18
- Zimbra versions 10.1.x prior to 10.1.13

# Poc (by sirifu4k1)

```
http://127.0.0.1/h/rest?javax.servlet.include.servlet_path=/WEB-INF/web.xml
```

# Automation

Nuclei-Template:

https://github.com/projectdiscovery/nuclei-templates/blob/main/http/cves/2025/CVE-2025-68645.yaml

# Into the wild

FOFA:

```
((title="Zimbra Web Client Sign In") || (title="Zimbra 网络客户端登录"))
```

SHODAN:

```
http.title:"Zimbra Web Client Sign In"
```

# Impact

An unauthenticated remote attackers can include arbitrary files from the WebRoot directory, potentially exposing sensitive information.

- Read sensitive files (configs, environment data)
- Leak credentials or internal paths
- Gather intelligence for further exploitation
- Chain with other vulnerabilities for deeper compromise

Vector 3.x
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
/ Base Score 3.x
8.80
/ Severity 3.x
HIGH

# Remediation & Mitigation

Update to the latest version of Zimbra Collaboration.

- ZCS 10.0.18
- ZCS 10.1.13 and later

Recommended Actions :

1. Upgrade immediately to a patched version
2. Disable Classic UI if not required
3. Monitor logs for suspicious access to `/h/rest`
4. Restrict public access to Zimbra web endpoints where possible
5. Review WebRoot permissions and exposed files

# References

https://nvd.nist.gov/vuln/detail/CVE-2025-68645

https://wiki.zimbra.com/wiki/Security_Center

https://wiki.zimbra.com/wiki/Zimbra_Responsible_Disclosure_Policy

https://x.com/sirifu4k1/status/2006031417088639064

# Disclaimer

This tool is for authorized security testing only. Unauthorized access to computer systems is illegal.

{
    "lastseen": "2026-01-02T17:52:04",
    "description": "This is a proof of concept exploiting a local file inclusion vulnerability existing in the Webmail Classic UI of Zimbra Collaboration ZCS versions 10.0 and 10.1. The issue is due to improper handling of user-supplied request parameters in the...",
    "published": "2026-01-02T00:00:00",
    "modified": "2026-01-02T00:00:00",
    "type": "packetstorm",
    "title": "\ud83d\udcc4 Zimbra Collaboration 10.0 / 10.1 Local File Inclusion",
    "source": "",
    "references": "",
    "id": "PACKETSTORM:213358",
    "bulletinFamily": "exploit",
    "cwe": null,
    "cvelist": [
        "CVE-2025-68645"
    ],
    "sourceData": "# zimbramail-CVE-2025-68645-poc\n    \n    A proof-of-concept exploiting a Local File Inclusion (LFI) vulnerability existing in the Webmail Classic UI of Zimbra Collaboration (ZCS) 10.0 and 10.1 because of improper handling of user-supplied request parameters in the RestFilter servlet.\n    \n    # Vulnerability\n    \n    The vulnerability exists due to improper input validation in the RestFilter servlet. An unauthenticated remote attacker can craft requests to the /h/rest endpoint to influence internal request dispatching, allowing inclusion of arbitrary files from the WebRoot directory.\n    \n    -   User-controlled parameters are not correctly sanitized.\n    -   Internal request routing can be manipulated.\n    -   Arbitrary files under the WebRoot directory may be included in server responses.\n    \n    # Affected Versions\n    \n    -   Zimbra versions 10.0.x prior to 10.0.18\n    -   Zimbra versions 10.1.x prior to 10.1.13\n    \n    # Poc (by sirifu4k1)\n    \n    ```\n    http://127.0.0.1/h/rest?javax.servlet.include.servlet_path=/WEB-INF/web.xml\n    ```\n    \n    # Automation\n    \n    Nuclei-Template:\n    \n    https://github.com/projectdiscovery/nuclei-templates/blob/main/http/cves/2025/CVE-2025-68645.yaml\n    \n    # Into the wild\n    \n    FOFA:\n    \n    ```\n    ((title=\"Zimbra Web Client Sign In\") || (title=\"Zimbra \u7f51\u7edc\u5ba2\u6237\u7aef\u767b\u5f55\"))\n    ```\n    \n    SHODAN:\n    \n    ```\n    http.title:\"Zimbra Web Client Sign In\"\n    ```\n    \n    # Impact\n    \n    An unauthenticated remote attackers can include arbitrary files from the WebRoot directory, potentially exposing sensitive information.\n    \n    -   Read sensitive files (configs, environment data)\n    -   Leak credentials or internal paths\n    -   Gather intelligence for further exploitation\n    -   Chain with other vulnerabilities for deeper compromise\n    \n    Vector 3.x\n    CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H\n    / Base Score 3.x\n    8.80\n    / Severity 3.x\n    HIGH\n    \n    # Remediation & Mitigation\n    \n    Update to the latest version of Zimbra Collaboration.\n    \n    -   ZCS 10.0.18\n    -   ZCS 10.1.13 and later\n    \n    Recommended Actions :\n    \n    1. Upgrade immediately to a patched version\n    2. Disable Classic UI if not required\n    3. Monitor logs for suspicious access to `/h/rest`\n    4. Restrict public access to Zimbra web endpoints where possible\n    5. Review WebRoot permissions and exposed files\n    \n    # References\n    \n    https://nvd.nist.gov/vuln/detail/CVE-2025-68645\n    \n    https://wiki.zimbra.com/wiki/Security_Center\n    \n    https://wiki.zimbra.com/wiki/Zimbra_Responsible_Disclosure_Policy\n    \n    https://x.com/sirifu4k1/status/2006031417088639064\n    \n    # Disclaimer\n    \n    This tool is for authorized security testing only. Unauthorized access to computer systems is illegal.",
    "sourceHref": "https://packetstorm.news/download/213358",
    "cvss": {
        "score": 8.8,
        "severity": "HIGH",
        "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
        "version": "3.1"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "https://packetstorm.news/files/id/213358/",
    "category_name": "Exploit",
    "post_link": "",
    "product": "",
    "version": "",
    "vendor": "",
    "ai_description": "",
    "ai_severity": "",
    "ai_vendor": "",
    "ai_product": "",
    "ai_version": "",
    "ai_score": 0
}

📄 Zimbra Collaboration 10.0 / 10.1 Local File Inclusion_PACKETSTORM:213358

Description

Basic Information

Affected Product

💭 Join the Security Discussion ❌ Cancel Reply