CVE-2024-54663 is a Local File Inclusion (LFI) vulnerability identified in the Webmail Classic UI component of Zimbra Collaboration Suite (ZCS) versions 9.0, 10.0, and 10.1. The vulnerability resides in the /h/rest endpoint, which improperly handles file path parameters, allowing authenticated remote attackers to craft malicious requests that include arbitrary files from the WebRoot directory. This flaw enables attackers to access sensitive files such as configuration files, credential stores, or other data that should be protected, potentially exposing critical information. Exploitation requires possession of a valid authentication token, meaning the attacker must have valid credentials or have compromised a session. The vulnerability does not require user interaction beyond authentication and does not allow modification of files, limiting the impact to confidentiality. The CVSS v3.1 score of 7.5 reflects a high severity due to the network attack vector, low attack complexity, no privileges required beyond authentication, and significant confidentiality impact. No public exploits or active exploitation have been reported to date. The vulnerability is tracked under CWE-829, which relates to improper restriction of operations within the bounds of a privileged interface. The lack of available patches at the time of reporting necessitates immediate mitigation steps to reduce exposure.

The primary impact of CVE-2024-54663 is unauthorized disclosure of sensitive information stored within the WebRoot directory of affected Zimbra Collaboration Suite installations. Attackers with valid authentication tokens can exploit this flaw to read configuration files, credential files, or other sensitive data, potentially leading to further attacks such as privilege escalation, lateral movement, or data exfiltration. Organizations relying on Zimbra for email and collaboration services may face confidentiality breaches, undermining trust and compliance with data protection regulations. Although the vulnerability does not allow modification or deletion of files, the exposure of sensitive information can facilitate more severe attacks. The requirement for authentication limits the attack surface to insiders or attackers who have already compromised credentials, but this does not eliminate risk, especially in environments with weak credential management or session controls. The vulnerability affects organizations worldwide that use the affected Zimbra versions, particularly those in sectors with high-value information such as government, finance, healthcare, and critical infrastructure.

1. Apply official patches or updates from Zimbra as soon as they become available to address the LFI vulnerability directly. 2. Restrict access to the /h/rest endpoint by implementing network-level controls such as firewalls or reverse proxies to limit access to trusted users and IP ranges. 3. Enforce strong authentication mechanisms, including multi-factor authentication (MFA), to reduce the risk of credential compromise. 4. Monitor authentication logs and web server logs for unusual or suspicious requests targeting the /h/rest endpoint, especially those attempting to access unexpected file paths. 5. Conduct regular audits of user accounts and sessions to detect and revoke unauthorized or stale credentials. 6. Implement web application firewalls (WAFs) with custom rules to detect and block attempts to exploit LFI patterns in HTTP requests. 7. Educate users and administrators about the importance of credential security and session management to prevent unauthorized access. 8. Consider isolating or segmenting Zimbra servers within the network to limit lateral movement if a compromise occurs.