vulnerability

Zimbra Collaboration: CVE-2025-25064: An SQL injection vulnerability.

Try Surface Command

Back to search

Severity	CVSS	Published	Added	Modified
9	(AV:N/AC:L/Au:S/C:C/I:C/A:C)	Feb 3, 2025	Feb 26, 2025	Jul 2, 2025

Severity

CVSS

(AV:N/AC:L/Au:S/C:C/I:C/A:C)

Published

Feb 3, 2025

Added

Feb 26, 2025

Modified

Jul 2, 2025

Description

Sql injection vulnerability in the zimbrasync service soap endpoint in zimbra collaboration 10.0.x before 10.0.12 and 10.1.x before 10.1.4 due to insufficient sanitization of a user-supplied parameter. authenticated attackers can exploit this vulnerability by manipulating a specific parameter in the request, allowing them to inject arbitrary sql queries that could retrieve email metadata.

Solution

zimbra-collaboration-upgrade-latest

References

CWE-89
CVE-2025-25064
https://attackerkb.com/topics/CVE-2025-25064
URL-https://wiki.zimbra.com/wiki/Zimbra_Releases/10.0.12#Security_Fixes
URL-https://wiki.zimbra.com/wiki/Zimbra_Releases/10.1.4#Security_Fixes
URL-https://wiki.zimbra.com/wiki/Zimbra_Security_Advisories

NEW

Explore Exposure Command

Confidently identify and prioritize exposures from endpoint to cloud with full attack surface visibility and threat-aware risk context.

Try it today