Article

Alert: Zimbra Security Updates - February 2025

Zimbra has released critical security updates to address vulnerabilities, including an SQL injection (CVE-2025-25064), stored XSS, and SSRF (CVE-2025-25065). If exploited, these issues could lead to unauthorized access and information disclosure.

Affected Systems:

SQL Injection: Zimbra Collaboration versions prior to 10.0.12 and 10.1.4.
Stored XSS(Zero-Day): Zimbra Classic Web Client versions prior to 9.0.0 Patch 44,10.0.13 & 10.1.5.
SSRF Vulnerability: Zimbra Collaboration versions prior to 9.0.0 Patch 43, 10.0.12, and 10.1.4.

Security Risks

Multiple vulnerabilities have been identified in Zimbra, posing significant security risks, including:

SQL Injection (CVE-2025-25064): A flaw in the ZimbraSync Service SOAP endpoint allows authenticated attackers to inject SQL queries, potentially exposing sensitive email metadata.
Stored XSS Vulnerability: A critical issue in the Zimbra Classic Web Client could allow attackers to execute malicious scripts, compromising session integrity and leaking information.
SSRF Vulnerability (CVE-2025-25065): A medium-severity flaw in the RSS feed parser allows unauthorized requests to internal network endpoints, increasing the risk of further attacks.

Recommended Actions

The National Cyber Security Authority (NCSA) recommends users and system administrators to:

1. Follow Zimbra's Security Advisories to lower the risk of potential exploits, protect systems, and ensure their security.

2. Apply the required and latest security updates as soon as possible.

The released software version to upgrade to, are but are not limited to:

SQL Injection: Update to Zimbra 10.0.12 or 10.1.4.
Stored XSS (Zero-Day): Update to Zimbra 9.0.0 Patch 44, 10.0.13, or 10.1.5.
SSRF: Update to Zimbra 10.0.12 or 10.1.4.3

3. Before any update task, please ensure you have a recent backup that can easily be restored.

For further information and support, please contact the National Cyber Security Authority (NCSA) by email to rwcsirt@ncsa.gov.rw or call us on 9009.

References

12 February 2025

More updates

12 February 2025

Alert: Microsoft Security Updates – February 2025

Microsoft has released security updates to address vulnerabilities in its software products.

12 February 2025

Alert: Fortinet Security Updates – February 2025

Fortinet has released a security update to address multiple vulnerabilities in its products.

12 February 2025

Alert: Apple Security Updates – February 2025

Apple has released urgent security updates to address a vulnerability.

12 February 2025

Alert: Adobe Security Updates – February 2025

Adobe has released security updates to address multiple vulnerabilities in its software.

Zimbra has released critical security updates to address vulnerabilities, including an SQL injection (CVE-2025-25064), stored XSS, and SSRF (CVE-2025-25065). If exploited, these issues could lead to unauthorized access and information disclosure.

Affected Systems:

SQL Injection: Zimbra Collaboration versions prior to 10.0.12 and 10.1.4.

Stored XSS(Zero-Day): Zimbra Classic Web Client versions prior to 9.0.0 Patch 44,10.0.13 & 10.1.5.

SSRF Vulnerability: Zimbra Collaboration versions prior to 9.0.0 Patch 43, 10.0.12, and 10.1.4.

Security Risks

Multiple vulnerabilities have been identified in Zimbra, posing significant security risks, including:

SQL Injection (CVE-2025-25064): A flaw in the ZimbraSync Service SOAP endpoint allows authenticated attackers to inject SQL queries, potentially exposing sensitive email metadata.

Stored XSS Vulnerability: A critical issue in the Zimbra Classic Web Client could allow attackers to execute malicious scripts, compromising session integrity and leaking information.

SSRF Vulnerability (CVE-2025-25065): A medium-severity flaw in the RSS feed parser allows unauthorized requests to internal network endpoints, increasing the risk of further attacks.

Recommended Actions

The National Cyber Security Authority (NCSA) recommends users and system administrators to:

1. Follow Zimbra's Security Advisories to lower the risk of potential exploits, protect systems, and ensure their security.

2. Apply the required and latest security updates as soon as possible.

The released software version to upgrade to, are but are not limited to:

SQL Injection: Update to Zimbra 10.0.12 or 10.1.4.

Stored XSS (Zero-Day): Update to Zimbra 9.0.0 Patch 44, 10.0.13, or 10.1.5.

SSRF: Update to Zimbra 10.0.12 or 10.1.4.3

3. Before any update task, please ensure you have a recent backup that can easily be restored.

For further information and support, please contact the National Cyber Security Authority (NCSA) by email to rwcsirt@ncsa.gov.rw or call us on 9009.

References

Zimbra Security Advisories

https://infosecbulletin.com/zimbra-releases-updates-for-sql-injection-xss-and-ssrf-vulns/

https://www.zimbra.com/product/download/

	info@ncsa.gov.rw
	9009 / 0781813310
	‎+250 791 445 224