Zimbra released a security advisory to address a security vulnerability in the Zimbra Collaboration Suite (ZCS). Tracked as CVE-2025-25064, the vulnerability has a critical severity rating with a CVSS score of 9.8. Successful exploitation of the vulnerability may allow attackers to gain unauthorized access to sensitive data and internal network resources.
Zimbra Collaboration Suite (ZCS) is a software suite that provides businesses with secure email, chat, and calendar services. It is an open platform that allows users to manage and control their data. The software enables users to schedule meetings, track attendance, and check team member availability.
Vulnerability Details
The SQL Injection vulnerability existing in the ZimbraSyncService SOAP endpoint originates from a lack of adequate sanitization of a user-supplied parameter. An authenticated attacker may exploit the vulnerability to inject arbitrary SQL queries that could retrieve email metadata by manipulating a specific parameter in the request.
Affected versions
The vulnerability affects the Zimbra Collaboration Suite versions before 10.0.12 and 10.1.4.
Mitigation
Customers must upgrade to the following versions to patch the vulnerability:
- Zimbra Collaboration Suite 10.1.4
- Zimbra Collaboration Suite 10.0.12
For more information, please refer to the Zimbra Security Advisory.
Qualys Detection
Qualys customers can scan their devices with QIDs 382807 and 152713 to detect vulnerable assets.
Please continue to follow Qualys Threat Protection for more coverage of the latest vulnerabilities.
References
https://wiki.zimbra.com/wiki/Zimbra_Releases/10.0.12#Security_Fixes
