virus logo Threat Signal Report

Zimbra Collaboration Local File Inclusion

What is the Vulnerability?

A Local File Inclusion (LFI) vulnerability (CVE-2025-68645) exists in the Zimbra Collaboration Suite (ZCS) Webmail Classic UI due to improper handling of user-supplied request parameters in the RestFilter servlet. An unauthenticated remote attacker can craft malicious requests, potentially exposing sensitive configuration and application data and aiding further compromise.

Successful exploitation may allow threat actors to:
• Leak sensitive files from the system WebRoot directory
• Gain reconnaissance and foothold inside the targeted environment.
• Potentially leverage exposed information for further exploitation or escalation.
• A public proof-of-concept exploit is available, and active exploitation has been observed.

What is the recommended Mitigation?

• Apply vendor patches immediately for all affected ZCS versions (Zimbra Collaboration (ZCS) 10.0 – 10.0.17- Zimbra Collaboration (ZCS) 10.1.0 – 10.1.12), and Fixed versions are 10.0.18 and 10.1.13.
• Restrict access to Zimbra Webmail interfaces from untrusted networks.
• Hunt for anomalous file inclusion requests and unauthorized file access patterns.

What FortiGuard Coverage is available?

• FortiGuard Intrusion Prevention System (IPS) Service: FortiGuard IPS Service is available to detect and block exploit attempts targeting CVE-2025-68645. Intrusion Prevention | FortiGuard Labs
• FortiGuard Antivirus & Behavior Detection: Delivers protection against known malware and uses advanced behavioral analysis to detect and block unknown threats.
• Indicators of Compromise (IOCs) Service: The FortiGuard team is continuously monitoring for emerging threats and new IOCs.
• FortiGuard Incident Response: Organizations suspecting a compromise can contact the FortiGuard Incident Response team for rapid investigation and remediation support.

description-logoOutbreak Alert

A Local File Inclusion (LFI) vulnerability (CVE-2025-68645) exists in the Zimbra Collaboration Suite (ZCS) Webmail Classic UI due to improper handling of user-supplied request parameters in the RestFilter servlet. An unauthenticated remote attacker can craft malicious requests, potentially exposing sensitive configuration and application data and aiding further compromise.

View the full Outbreak Alert Report

Additional Resources

Zimbra Patch Release


Released Date Jan 28, 2026
Tags Zimbra Collaboration LFI Threat Signal Vulnerability
CVE ID

Experienced a Breach? We're here to help

FortiGuard Incident Response Services
FortiGuard Incident Response Services
Outbreak Alert Outbreak Alert
About FortiGuard Threat Signal

Learn More »