NVD - CVE-2025-68645 (original) (raw)

Change History

6 change records found show changes

Modified Analysis by NIST 1/23/2026 1:39:33 PM

Action Type Old Value New Value
Changed CPE Configuration OR *cpe:2.3:a:zimbra:collaboration:*:*:*:*:*:*:*:* versions from (including) 10.0.0 up to (excluding) 10.0.18 *cpe:2.3:a:zimbra:collaboration:*:*:*:*:*:*:*:* versions from (including) 10.1.0 up to (excluding) 10.1.13 OR *cpe:2.3:a:synacor:zimbra_collaboration_suite:*:*:*:*:*:*:*:* versions from (including) 10.0.0 up to (excluding) 10.0.18 *cpe:2.3:a:synacor:zimbra_collaboration_suite:*:*:*:*:*:*:*:* versions from (including) 10.1.0 up to (excluding) 10.1.13
Added Reference Type CISA-ADP: https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field\_cve=CVE-2025-68645 Types: US Government Resource

CVE CISA KEV Update by Cybersecurity and Infrastructure Security Agency (CISA) U.S. Civilian Government 1/22/2026 9:00:02 PM

Action Type Old Value New Value
Added Date Added 2026-01-22
Added Due Date 2026-02-12
Added Required Action Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.
Added Vulnerability Name Synacor Zimbra Collaboration Suite (ZCS) PHP Remote File Inclusion Vulnerability

CVE Modified by CISA-ADP 1/22/2026 2:15:56 PM

Action Type Old Value New Value
Added Reference https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field\_cve=CVE-2025-68645

Initial Analysis by NIST 1/02/2026 1:16:52 PM

Action Type Old Value New Value
Added CPE Configuration OR *cpe:2.3:a:zimbra:collaboration:*:*:*:*:*:*:*:* versions from (including) 10.0.0 up to (excluding) 10.0.18 *cpe:2.3:a:zimbra:collaboration:*:*:*:*:*:*:*:* versions from (including) 10.1.0 up to (excluding) 10.1.13
Added Reference Type MITRE: https://wiki.zimbra.com/wiki/Security\_Center Types: Release Notes, Vendor Advisory
Added Reference Type MITRE: https://wiki.zimbra.com/wiki/Zimbra\_Responsible\_Disclosure\_Policy Types: Product

CVE Modified by CISA-ADP 12/22/2025 4:15:45 PM

Action Type Old Value New Value
Added CVSS V3.1 AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Added CWE CWE-98

New CVE Received from MITRE 12/22/2025 1:16:17 PM

Action Type Old Value New Value
Added Description A Local File Inclusion (LFI) vulnerability exists in the Webmail Classic UI of Zimbra Collaboration (ZCS) 10.0 and 10.1 because of improper handling of user-supplied request parameters in the RestFilter servlet. An unauthenticated remote attacker can craft requests to the /h/rest endpoint to influence internal request dispatching, allowing inclusion of arbitrary files from the WebRoot directory.
Added Reference https://wiki.zimbra.com/wiki/Security\_Center
Added Reference https://wiki.zimbra.com/wiki/Zimbra\_Responsible\_Disclosure\_Policy