CSRF Vulnerability in Zimbra Collaboration Affects Password Reset Functionality
CVE-2025-54390

6.3MEDIUM

Key Information:

Vendor: Zimbra
Status: Zimbra Collaboration Suite (ZCS)
Vendor: CVE Published:; 17 September 2025

What is CVE-2025-54390?

A Cross-Site Request Forgery (CSRF) vulnerability has been identified in the ResetPasswordRequest operation of Zimbra Collaboration Suite (ZCS). When the zimbraFeatureResetPasswordStatus attribute is enabled, an attacker can exploit this vulnerability by tricking an authenticated user into visiting a malicious webpage. This malicious site can silently execute a crafted SOAP request to reset the user's password without their consent, exploiting the lack of CSRF token validation on the endpoint. This presents a serious threat to the security and integrity of user accounts within the Zimbra platform.

References

https://wiki.zimbra.com/wiki/Zimbra_Security_Advisories

https://wiki.zimbra.com/wiki/Security_Center

https://wiki.zimbra.com/wiki/Zimbra_Responsible_Disclosur...

CVSS V3.1

Score:

6.3

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

Required

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Sep 17, 2025
Vulnerability Reserved
Jul 21, 2025

JSON