CVE-2025-8264 is a critical SQL Injection vulnerability affecting versions of the z-push/z-push-dev package prior to 2.7.6. The vulnerability arises from unparameterized SQL queries in the IMAP backend, specifically when the IMAP_FROM_SQL_QUERY option is configured. An attacker can exploit this flaw by manipulating the username field during basic authentication, injecting malicious SQL commands. This injection can lead to unauthorized access, modification, or deletion of sensitive data stored in a linked third-party database. The vulnerability is particularly dangerous because it does not require prior authentication or user interaction, and it can be exploited remotely over the network. The CVSS 4.0 score of 9.1 reflects its critical nature, with an attack vector of network, low attack complexity, no privileges required, and no user interaction needed. The impact on confidentiality and integrity is high, while availability impact is none. The vulnerability affects Z-Push installations that use the IMAP backend with the IMAP_FROM_SQL_QUERY option enabled, which is a configuration setting in backend/imap/config.php. The recommended mitigation is to change the configuration to use the default or LDAP backend by defining IMAP_DEFAULTFROM as an empty string or 'ldap', thereby avoiding the vulnerable SQL query path. No known exploits are currently reported in the wild, but the severity and ease of exploitation make it a significant threat that requires immediate attention.

For European organizations, this vulnerability poses a severe risk, especially for those using Z-Push as a synchronization solution for email and calendar services with IMAP backend configurations. Exploitation could lead to unauthorized disclosure and alteration of sensitive corporate data, potentially including personal data protected under GDPR. This could result in data breaches, regulatory penalties, reputational damage, and operational disruptions. Organizations relying on third-party databases linked to Z-Push IMAP backends are particularly vulnerable. Given the criticality and remote exploitability without authentication, attackers could leverage this vulnerability to gain persistent access or disrupt services. The impact is amplified in sectors with high data sensitivity such as finance, healthcare, and government institutions prevalent across Europe. Additionally, the potential for data manipulation could undermine trust in communication systems, affecting business continuity and compliance obligations.

Beyond the suggested configuration change to use the default or LDAP backend, European organizations should: 1) Immediately audit all Z-Push installations to identify those using the IMAP backend with IMAP_FROM_SQL_QUERY enabled. 2) Apply configuration changes to disable IMAP_FROM_SQL_QUERY and switch to safer backends as recommended. 3) Monitor authentication logs for unusual or malformed username patterns that could indicate attempted exploitation. 4) Implement network-level protections such as Web Application Firewalls (WAFs) with SQL injection detection rules to block suspicious requests targeting the authentication endpoint. 5) Conduct penetration testing and code reviews focusing on SQL query parameterization in custom or legacy Z-Push deployments. 6) Ensure that all third-party databases linked to Z-Push are segregated with strict access controls and logging to detect unauthorized access or modifications. 7) Keep Z-Push installations updated to version 2.7.6 or later once available, as this will include patches addressing the vulnerability. 8) Educate IT and security teams about the risks of SQL injection in authentication mechanisms and the importance of secure coding practices.