Zimbra has released software updates to solve critical security deficiencies in its software for cooperation, which can be successfully disclosed under certain conditions.
Vulnerability tracked as Cve-2025-25064It carries the CVSS 9.8 with a maximum of 10.0. This has been described as a SQL injection error in the ZimbraSync soap box, which affects the version up to 10.0.12 and 10.1.4.
Based on the lack of proper sanitary parameter, the deficiencies may be armed with authenticated attackers to introduce arbitrary SQL requests that could get e -mail metadata by “manipulating a certain parameter in the request”.
Zimbra also stated that she appealed to another critical vulnerability related to the preserved script of the transverse site (XSS) at the Zimbra Classic web client. The disadvantage is still to be appointed CVE ID.
“Correction strengthens sanitary learning and increases security”, company – Note In the Additional Appendix Adding the problem was recorded in versions of 9.0.0 patch 44, 10.0.13 and 10.1.5.
Another vulnerability addressed by Zimbra Cve-2025-25065 (CVSS assessment: 5.3), a mid -level server fake deficiency (SSRF) in the RSS Feed Component, which allows unauthorized redirect to the final internal network.
Security defect was recorded in versions 9.0.0 Patch 43, 10.12 and 10.1.4. Customers are advised to update the latest Zimbra cooperation versions for optimal protection.
