CVE-2025-25064
HIGHCVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
2Description
SQL injection vulnerability in the ZimbraSync Service SOAP endpoint in Zimbra Collaboration 10.0.x before 10.0.12 and 10.1.x before 10.1.4 due to insufficient sanitization of a user-supplied parameter. Authenticated attackers can exploit this vulnerability by manipulating a specific parameter in the request, allowing them to inject arbitrary SQL queries that could retrieve email metadata.
Analysis
Zimbra Collaboration 10.0.x before 10.0.12 and 10.1.x before 10.1.4 contain a SQL injection in the ZimbraSync Service SOAP endpoint. Authenticated attackers can manipulate a sync parameter to inject arbitrary SQL, extracting email contents, credentials, and mailbox data from the Zimbra database.
Technical Context
The ZimbraSync Service processes mobile device synchronization requests via SOAP. A parameter in the sync protocol is insufficiently sanitized before SQL query construction. An authenticated attacker (any mailbox user) can inject SQL to read arbitrary database content including other users' emails, LDAP credentials, and global configuration.
Affected Products
['Zimbra Collaboration 10.0.x < 10.0.12', 'Zimbra Collaboration 10.1.x < 10.1.4']
Remediation
Update to Zimbra 10.0.12 or 10.1.4. Review Zimbra audit logs for suspicious sync requests. Rotate LDAP and admin credentials. Check for unauthorized mail forwarding rules.
Priority Score
Share
External POC / Exploit Code
Leaving vuln.today