SQL Injection Vulnerability in Zimbra Collaboration by Zimbra
CVE-2025-25064
Key Information:
- Vendor
Zimbra
- Status
- Vendor
- CVE Published:
- 3 February 2025
Badges
What is CVE-2025-25064?
CVE-2025-25064 is a significant SQL injection vulnerability found in the Zimbra Collaboration software. Zimbra, a platform designed for enterprise email, calendar, and collaboration, is widely used by organizations to manage their communication needs. This vulnerability arises from inadequate sanitization of user inputs within the ZimbraSync Service SOAP endpoint, which could be exploited by authenticated attackers. If successfully exploited, this flaw could lead to unauthorized access to sensitive email metadata, ultimately undermining the confidentiality and integrity of organizational communications.
Technical Details
The vulnerability affects Zimbra Collaboration versions 10.0.x prior to 10.0.12 and 10.1.x prior to 10.1.4. It stems from the insufficient handling of user-supplied parameters, which allows an attacker to craft malicious requests that inject arbitrary SQL queries into the system. By manipulating these SQL queries, attackers can extract information, potentially accessing sensitive data stored in Zimbra's database.
Potential Impact of CVE-2025-25064
-
Data Breach Risk: The ability to retrieve email metadata could lead to exposure of sensitive information, such as user communication patterns and confidential discussions within an organization.
-
Unauthorized Access: The exploitation of this vulnerability could allow attackers to gain deeper access to the system, potentially facilitating further attacks or unauthorized actions within the Zimbra environment.
-
Reputational Damage: Organizations affected by this vulnerability may face significant reputational harm, particularly if sensitive data leaks result in erosion of trust among clients and stakeholders.
Exploit Proof of Concept (PoC)
PoC code is written by security researchers to demonstrate the vulnerability can be exploited. PoC code is also a key component for weaponization which could lead to ransomware.
News Articles
Zimbra Security Updates Fix a Critical SQL Injection Vulnerability
Zimbra has released updates that fix vulnerabilities in its products. One of the vulnerabilities is critical, at a CVSS rating of 9.8, the other is of medium
The Hacker NewsCVE-2025-25064Zimbra Releases Security Updates for SQL Injection, Stored XSS, and SSRF Vulnerabilities
Zimbra has patched CVE-2025-25064, a critical SQL injection flaw (CVSS 9.8), and other security bugs. Update now to protect against exploits.
CybersecurityNewsCritical Zimbra Vulnerabilities Let Attackers Unauthorized Access to Internal Resources
Zimbra Collaboration, a popular open-source email and collaboration software, was recently discovered to include critical vulnerabilities.
References
EPSS Score
9% chance of being exploited in the next 30 days.
CVSS V3.1
Timeline
- 🟡
Public PoC available
- 👾
Exploit known to exist
- 📰
First article discovered by CybersecurityNews
Vulnerability published
Vulnerability Reserved