CSRF Vulnerability in Zimbra Collaboration Affects Password Reset Functionality
CVE-2025-54390

6.3MEDIUM

Key Information:

Vendor: Zimbra
Status: Zimbra Collaboration Suite (ZCS)
Vendor: CVE Published:; 17 September 2025

What is CVE-2025-54390?

A Cross-Site Request Forgery (CSRF) vulnerability has been identified in the ResetPasswordRequest operation of Zimbra Collaboration Suite (ZCS). When the zimbraFeatureResetPasswordStatus attribute is enabled, an attacker can exploit this vulnerability by tricking an authenticated user into visiting a malicious webpage. This malicious site can silently execute a crafted SOAP request to reset the user's password without their consent, exploiting the lack of CSRF token validation on the endpoint. This presents a serious threat to the security and integrity of user accounts within the Zimbra platform.

Human OS v1.0:
Ageing Is an Unpatched Zero-Day Vulnerability.

Remediate biological technical debt. Prime Ageing uses 95% high-purity SIRT6 activation to maintain genomic integrity and bolster systemic resilience.

Deploy the Patch

References

https://wiki.zimbra.com/wiki/Zimbra_Security_Advisories

https://wiki.zimbra.com/wiki/Security_Center

https://wiki.zimbra.com/wiki/Zimbra_Responsible_Disclosur...

CVSS V3.1

Score:

6.3

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

Required

Scope:

Unchanged

Timeline

Vulnerability published
Sep 17, 2025
Vulnerability Reserved
Jul 21, 2025

JSON

Zimbra

What is CVE-2025-54390?

Human OS v1.0: Ageing Is an Unpatched Zero-Day Vulnerability.

References

CVSS V3.1

Timeline

Human OS v1.0:
Ageing Is an Unpatched Zero-Day Vulnerability.