Z-Push CVE-2025-8264
HIGHSeverity by source
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:H/VA:N/SC:H/SI:H/SA:H/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:H/VA:N/SC:H/SI:H/SA:H/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
1DescriptionCVE.org
Versions of the package z-push/z-push-dev before 2.7.6 are vulnerable to SQL Injection due to unparameterized queries in the IMAP backend. An attacker can inject malicious commands by manipulating the username field in basic authentication. This allows the attacker to access and potentially modify or delete sensitive data from a linked third-party database. Note: This vulnerability affects Z-Push installations that utilize the IMAP backend and have the IMAP_FROM_SQL_QUERY option configured. Mitigation Change configuration to use the default or LDAP in backend/imap/config.php php define('IMAP_DEFAULTFROM', ''); or php define('IMAP_DEFAULTFROM', 'ldap');
AnalysisAI
SQL injection in Z-Push IMAP backend allows unauthenticated remote attackers to access, modify, or delete data in linked third-party databases via malicious username values in basic authentication headers. Exploitation requires non-default IMAP_FROM_SQL_QUERY configuration. Publicly available exploit code exists (GitHub PR #161 demonstrates the vulnerability). CVSS 7.9 with network attack vector and no authentication required, though attack complexity increases due to the specific configuration prerequisite. Affects Z-Push versions before 2.7.6.
Technical ContextAI
Z-Push is a PHP-based open-source implementation of the Microsoft ActiveSync protocol for mobile device synchronization with email servers. The vulnerability resides in the IMAP backend component (backend/imap/user_identity.php, lines 211-214), where username values from HTTP basic authentication are directly interpolated into SQL queries without parameterization when IMAP_FROM_SQL_QUERY is configured. This represents a classic CWE-89 SQL injection flaw where user-controlled input (the username field in Authorization headers) flows unsanitized into database operations. The IMAP backend's user identity feature allows querying external SQL databases to retrieve email addresses for users, but the query construction lacks prepared statements or input validation. The vulnerable code path only executes when administrators have explicitly configured IMAP_FROM_SQL_QUERY to query a third-party database rather than using default settings or LDAP.
Affected ProductsAI
Z-Push versions before 2.7.6 are affected when the IMAP backend is enabled with IMAP_FROM_SQL_QUERY configured to query external SQL databases. The package identifier is z-push/z-push-dev in PHP/Composer ecosystems. Specifically, the vulnerability exists in backend/imap/user_identity.php in the user identity resolution code path. GitHub repository Z-Hub/Z-Push versions prior to commit f981d515a35ac4c303959af21dce880a5db02786 contain the vulnerable unparameterized query construction. Organizations using default IMAP_DEFAULTFROM settings or LDAP-based identity resolution are not affected even if running vulnerable versions. Advisory available at https://security.snyk.io/vuln/SNYK-PHP-ZPUSHZPUSHDEV-10908180 and technical analysis at https://xbow.com/blog/xbow-zpush-sqli/.
RemediationAI
Upgrade to Z-Push version 2.7.6 or later, which implements parameterized queries in the IMAP backend user identity code (fix available via GitHub PR #161, commit f981d515a35ac4c303959af21dce880a5db02786). For systems that cannot immediately upgrade, remove SQL injection attack surface by changing backend/imap/config.php to use default settings (define('IMAP_DEFAULTFROM', '');) or LDAP-based identity resolution (define('IMAP_DEFAULTFROM', 'ldap');) instead of IMAP_FROM_SQL_QUERY. This configuration change eliminates the vulnerable code path entirely but impacts functionality for deployments that rely on SQL database queries for user email address resolution - organizations must ensure alternative identity resolution mechanisms meet their operational requirements. If SQL-based identity resolution is business-critical and patching is delayed, implement input validation at the web server or reverse proxy layer to sanitize HTTP Authorization headers, though this is complex and error-prone compared to patching. Monitor database query logs for suspicious username patterns (SQL keywords, comment sequences, UNION statements) as a detection control. Vendor patch details: https://github.com/Z-Hub/Z-Push/pull/161.
sapi/cgi/cgi_main.c in PHP before 5.3.12 and 5.4.x before 5.4.2, when configured as a CGI script (aka php-cgi), does not
(1) boardData102.php, (2) boardData103.php, (3) boardDataJP.php, (4) boardDataNA.php, and (5) boardDataWW.php in Netgear
ProjectSend versions prior to r1720 are affected by an improper authentication vulnerability. Rated critical severity (C
Roundcube Webmail contains a critical PHP object deserialization vulnerability (CVE-2025-49113, CVSS 9.9) that allows au
Util/PHP/eval-stdin.php in PHPUnit before 4.8.28 and 5.x before 5.6.3 allows remote attackers to execute arbitrary PHP c
Palo Alto Networks PAN-OS management web interface contains an authentication bypass allowing unauthenticated attackers
Nagios XI version xi-5.7.5 is affected by OS command injection. Rated high severity (CVSS 8.8), this vulnerability is re
Nagios XI version xi-5.7.5 is affected by OS command injection. Rated high severity (CVSS 8.8), this vulnerability is re
The get_referers function in /opt/ws/bin/sblistpack in Sophos Web Appliance before 3.7.9.1 and 3.8 before 3.8.1.1 allows
The Backup Migration plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 1
NetAlertX (formerly PiAlert) versions 23.01.14 through 24.x before 24.10.12 allow unauthenticated command injection thro
The GiveWP - Donation Plugin and Fundraising Platform plugin for WordPress is vulnerable to PHP Object Injection in all
Same weakness CWE-89 – SQL Injection
View allSame technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today