CVE-2025-68645 is a Local File Inclusion (LFI) vulnerability identified in the Webmail Classic UI component of Zimbra Collaboration Suite (ZCS) versions 10.0 and 10.1. The root cause is improper sanitization and handling of user-supplied request parameters within the RestFilter servlet, which processes requests to the /h/rest endpoint. An unauthenticated remote attacker can exploit this flaw by crafting malicious HTTP requests that manipulate internal request dispatching logic, enabling the inclusion of arbitrary files from the WebRoot directory into the response. This can lead to disclosure of sensitive files, such as configuration files, credentials, or source code, potentially facilitating further attacks like remote code execution or privilege escalation. The vulnerability is classified under CWE-98 (Improper Control of Filename for Include/Require Statement in PHP Program), indicating a failure to properly restrict file inclusion. The CVSS v3.1 base score is 8.8, reflecting high impact on confidentiality, integrity, and availability, with no privileges required but user interaction needed to trigger the attack. Although no known exploits are currently in the wild and no official patches have been published, the vulnerability poses a significant risk due to the widespread use of Zimbra in enterprise email environments. Attackers could leverage this flaw to exfiltrate sensitive data or disrupt email services, undermining organizational security.

For European organizations, the impact of CVE-2025-68645 can be severe. Zimbra Collaboration Suite is widely used across Europe in both public and private sectors for email and collaboration services. Exploitation could lead to unauthorized disclosure of sensitive corporate or governmental information, including emails, credentials, and internal configuration files. This compromises confidentiality and may facilitate further attacks such as lateral movement or privilege escalation within networks. Integrity could be affected if attackers modify included files or inject malicious content, potentially disrupting email communications or spreading malware. Availability risks arise if attackers leverage the vulnerability to cause denial of service or crash the webmail interface. Given the critical role of email in business and government operations, such disruptions could have cascading effects on productivity and trust. Additionally, the vulnerability could expose organizations to regulatory penalties under GDPR if personal data is compromised. The lack of authentication requirement increases the attack surface, making it easier for remote adversaries to target vulnerable systems from outside the network perimeter.

1. Immediate monitoring and logging of all requests to the /h/rest endpoint to detect suspicious or malformed requests indicative of LFI attempts. 2. Implement strict input validation and sanitization on all user-supplied parameters processed by the RestFilter servlet, ensuring only expected and safe values are accepted. 3. Restrict file inclusion paths explicitly to prevent traversal or inclusion of arbitrary files outside intended directories. 4. Employ Web Application Firewalls (WAFs) with custom rules to block known LFI attack patterns targeting Zimbra endpoints. 5. Isolate Zimbra servers within segmented network zones with limited access to sensitive file systems to reduce impact if exploited. 6. Regularly audit and review Zimbra configurations and logs for anomalies. 7. Plan and prioritize upgrading to patched versions of Zimbra Collaboration Suite as soon as official fixes are released by the vendor. 8. Educate IT and security teams about this vulnerability to ensure rapid detection and response. 9. Consider temporary disabling or restricting access to the Webmail Classic UI if feasible until patches are available. 10. Conduct penetration testing focused on LFI vectors to validate the effectiveness of mitigations.