Zimbra fixes flaws in Zimbra Collaboration, at least one critical
Take action: If you are running Zimbra Collaboration, plan to patch as soon as possible. Try to isolate the components from the internet, but that's probably impossible. So just start planning a big patch.
Learn More
Zimbra has released security updates to address multiple vulnerabilities in its Collaboration software suite, a widely-used enterprise email and collaboration platform. The most severe of these vulnerabilities could lead to unauthorized information disclosure and system compromise.
- CVE-2025-25064 (CVSS score 9.8) - SQL injection vulnerability in ZimbraSync Service SOAP endpoint, can be used to retrieve email metadata through parameter manipulation. Allows authenticated attackers to inject arbitrary SQL queries. Affects versions prior to 10.0.12 and 10.1.4
- Stored Cross-Site Scripting (XSS) vulnerability (CVE identifier pending) - Affects Zimbra Classic Web Client/ Fxed in versions 9.0.0 Patch 44, 10.0.13, and 10.1.5
- CVE-2025-25065 (CVSS score 5.3) - Server-side request forgery (SSRF) vulnerability, located in RSS feed parser component. Enables unauthorized redirection to internal network endpoints. Patched in versions 9.0.0 Patch 43, 10.0.12, and 10.1.4
- CSRF in GraphQL Endpoints - Enables unauthorized API operations, Allows attacks without valid authentication tokens
IThe vulnerabilities could potentially lead to data theft, unauthorized account access, service disruption, manipulation of backend database records or lateral movement within corporate networks
Zimbra has released patches in the following versions:
- Zimbra 9.0.0 Patch 44
- Zimbra 10.0.13
- Zimbra 10.1.5
Organizations are strongly advised to upgrade to these latest versions immediately to protect against potential exploitation.
