CVE-2025-25064 (CVSS 9.8) - Severe SQL Injection Vulnerability in Zimbra Collaboration

Zimbra Collaboration, a popular open-source platform for email, calendaring, file sharing, and task management, has been found to contain two recently discovered security vulnerabilities that pose significant risks to businesses using the software. The vulnerabilities, identified as CVE-2025-25064 and CVE-2025-25065, could enable attackers to gain unauthorized access to sensitive data and internal network resources.

CVE-2025-25064 (CVSS 9.8): A critical SQL injection flaw affecting Zimbra Collaboration versions 10.0.x prior to 10.0.12 and 10.1.x prior to 10.1.4. The vulnerability arises from inadequate sanitization of a user-supplied parameter in the ZimbraSync Service SOAP endpoint. Authenticated attackers can exploit this weakness by manipulating the parameter to inject arbitrary SQL queries, potentially granting them access to email metadata.

CVE-2025-25065 (CVSS 5.3): A moderate-severity Server-Side Request Forgery (SSRF) vulnerability affecting Zimbra Collaboration versions 9.0.0 before Patch 43, 10.0.x prior to 10.0.12, and 10.1.x prior to 10.1.4. This flaw is present in the RSS feed parser and enables unauthorized redirection to internal network endpoints.

Zimbra Collaboration has frequently been targeted by cybercriminals, with several critical vulnerabilities exploited in active attacks.

For instance, in October of last year, hackers leveraged CVE-2024-45519, a remote code execution (RCE) vulnerability in Zimbra’s postjournal service. This flaw allowed attackers to send specially crafted emails with malicious commands in the CC field, which were executed when the postjournal service processed the email.

Zimbra has released patches to address both CVE-2025-25064 and CVE-2025-25065, and users are strongly encouraged to update their systems as soon as possible.

To learn more about our services and how we can help protect your systems, visit https://www.vaptern.com/services or contact us directly.