CVE-2025-25064

Published Feb 3, 2025

Last updated 19 days ago

CVSS high 8.8

Overview

AI description

Generated using AI and has not been reviewed by Intruder. May contain errors.

CVE-2025-25064 is an SQL injection vulnerability found in the ZimbraSync Service SOAP endpoint of Zimbra Collaboration. This vulnerability arises from insufficient sanitization of a user-supplied parameter. An attacker who has authenticated to the system can manipulate this parameter to inject arbitrary SQL queries. This manipulation could allow the attacker to retrieve email metadata. Zimbra Collaboration versions 10.0.x before 10.0.12 and 10.1.x before 10.1.4 are affected. Zimbra has addressed this vulnerability and released patches. Users of affected versions are strongly encouraged to update their installations to version 10.0.12 or 10.1.4, respectively, to mitigate the risk. This information is current as of February 10, 2025.

Description
SQL injection vulnerability in the ZimbraSync Service SOAP endpoint in Zimbra Collaboration 10.0.x before 10.0.12 and 10.1.x before 10.1.4 due to insufficient sanitization of a user-supplied parameter. Authenticated attackers can exploit this vulnerability by manipulating a specific parameter in the request, allowing them to inject arbitrary SQL queries that could retrieve email metadata.
Source
cve@mitre.org
NVD status
Awaiting Analysis

Risk scores

CVSS 3.1

Type
Secondary
Base score
8.8
Impact score
5.9
Exploitability score
2.8
Vector string
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Severity
HIGH

Weaknesses

134c704f-9b21-4f2e-91b3-4a467353bcc0
CWE-89

Social media

Hype score
Not currently trending

  1. Zimbra Collaboration Suite has patched critical vulnerabilities, including XSS, SQLi, and SSRF. Important to apply updates to maintain security. CVE-2025-27915, CVE-2025-25064, CVE-2025-25065. 🔒 #Zimbra #DataProtection #USA link: https://t.co/fFVt5BVFdz https://t.co/zjX96qTX5y

    @TweetThreatNews

    20 Mar 2025

    24 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  2. #Vulnerability #CVE202445519 CVE-2025-25064 (CVSS 9.8): Critical SQL Injection Bug in Zimbra Collaboration https://t.co/qNb9pPvdlW

    @Komodosec

    12 Mar 2025

    11 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  3. A critical #vulnerability impacting Zimbra softwares has been reported: the CVE-2025-25064. It allows an unauthenticated attacker to inject some arbitrary SQL queries. Stormshield security alert ➡️ https://t.co/Jw9vxrmii0 https://t.co/YadNF91OiR

    @Stormshield

    21 Feb 2025

    28 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  4. Zimbra 10 SQL Injection (CVE-2025-25064) Analysis Article #CYBER #cybersecurite #liked #hackerling #FolloForFolloBack ✅Link: https://t.co/pcYdwlw3Ul https://t.co/EfFqn46AXJ

    @umidcybers

    19 Feb 2025

    50 Impressions

    0 Retweets

    1 Like

    0 Bookmarks

    0 Replies

    0 Quotes

  5. Zimbra 10 SQL Injection (CVE-2025-25064) Analysis Article https://t.co/MexkJZ7fL9 https://t.co/IUwGr537H5

    @cyber_advising

    18 Feb 2025

    2380 Impressions

    10 Retweets

    45 Likes

    15 Bookmarks

    0 Replies

    0 Quotes

  6. "Zimbra Collaboration" proqramında kritik boşluq (CVE-2025-25064) aşkar olunub #ETX #certaz #cybersecurity #kibertəhlükəsizlik #xəbərdarlıq https://t.co/5BT5TVoDSJ

    @CERTAzerbaijan

    12 Feb 2025

    50 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  7. چندین آسیب پذیری مختلف برای میل سرور Zimbra منتشر شده .اولین آسیب پذیری دارای کد شناسایی CVE-2025-25064 و از نوع Sqlinjection ، آسیب پذیری دوم دارای کد شناسایی CVE-2025-25065 از نوع SSRF و آسیب پذیری سوم با کد شناسایی CVE-2024-45516 از نوع XSS می باشند. https://t.co/Poz3aKY03t

    @AmirHossein_sec

    11 Feb 2025

    17 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  8. CVE-2025-25064 is marked as having no authentication requirements in the cvss score, but the description literally say its authenticated. CISA-ADP had to be smoking something crazy https://t.co/GS6KEIuQAV

    @PsExec64

    10 Feb 2025

    25 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  9. Zimbra Releases Security Updates for SQL Injection, Stored XSS, and SSRF Vulnerabilities. The vulnerability, tracked as CVE-2025-25064, carries a CVSS score of 9.8 out of a maximum of 10.0. It has been described as an SQL injection bug. https://t.co/5bXdpkia0s https://t.co/KxvyLu

    @riskigy

    10 Feb 2025

    46 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  10. CVE-2025-25064 (CVSS 9.8) - Severe SQL Injection Vulnerability in Zimbra Collaboration https://t.co/WaoeRHJMp1 #zimbra #cyber #cybsersecurity #BusinessGrowth #business #Infosec #IT #security #internet

    @VAPTernInc

    10 Feb 2025

    15 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  11. Zimbra Collaboration faces critical vulnerabilities (CVE-2025-25064, CVSS 9.8) allowing SQL injection and unauthorized access. Users should update to protect sensitive data. 🚨💻 #Zimbra #SQLInjection #USA link: https://t.co/ZoN8mysHX1 https://t.co/wf1eo65ny7

    @TweetThreatNews

    10 Feb 2025

    55 Impressions

    1 Retweet

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  12. CVE-2025-25064 impacts Zimbra with SQL Injection #Zimbra #CVE-2025-25064 https://t.co/luQfiUM6MK

    @pravin_karthik

    10 Feb 2025

    55 Impressions

    0 Retweets

    1 Like

    0 Bookmarks

    0 Replies

    0 Quotes

  13. Zimbra has rolled out critical updates addressing SQL injection (CVE-2025-25064) and stored XSS vulnerabilities, alongside a medium-severity SSRF flaw. Users encouraged to upgrade for enhanced security. 🔒 #Zimbra #InformationSecurity link: https://t.co/bGgzJjatFx https://t.co/B

    @TweetThreatNews

    10 Feb 2025

    25 Impressions

    0 Retweets

    1 Like

    0 Bookmarks

    0 Replies

    0 Quotes

  14. ⚠️⚠️ CVE-2025-25064 (CVSS 9.8): Critical SQL Injection Bug in Zimbra Collaboration 🎯519+ Results are found on the https://t.co/pb16tGYaKe nearly year. 🔗FOFA Link:https://t.co/iLr73S1Vwg FOFA Query:app="Zimbra-Collaboration-Suite" 🔖Refer:https://t.co/9zm7G9VHpy #OSINT… htt

    @fofabot

    10 Feb 2025

    1206 Impressions

    6 Retweets

    14 Likes

    6 Bookmarks

    0 Replies

    0 Quotes

  15. Zimbra's latest patch addresses three new vulnerabilities: • SQL Injection (CVE-2025-25064) exposing email metadata to authenticated attackers. • XSS vulnerability in the Classic Web Client, risking user security. • SSRF flaw (CVE-2025-25065) allowi... https://t.co/Mj11lfJarc

    @IT_news_for_all

    10 Feb 2025

    0 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  16. Zimbra's latest patch addresses three new vulnerabilities: • SQL Injection (CVE-2025-25064) exposing email metadata to authenticated attackers. • XSS vulnerability in the Classic Web Client, risking user security. • SSRF flaw (CVE-2025-25065) allowing unauthorized redirection… h

    @TheHackersNews

    10 Feb 2025

    11685 Impressions

    21 Retweets

    50 Likes

    5 Bookmarks

    3 Replies

    3 Quotes

  17. CVE-2025-25064, -25065: Two vulnerabilities in Zimbra, 5.3 - 9.8 rating 🔥 Vulns include SQLi and SSRF, which could potentially lead to RCE. Search at https://t.co/hv7QKSqxTR: 👉 Link: https://t.co/ETW5EAdP0f #cybersecurity #vulnerability_map https://t.co/zOWzsRsJBk https://t

    @Netlas_io

    10 Feb 2025

    1131 Impressions

    2 Retweets

    18 Likes

    4 Bookmarks

    0 Replies

    0 Quotes

  18. 🚨Alert🚨 CVE-2025-25064 (CVSS 9.8): Critical SQL Injection Bug in Zimbra Collaboration 📊 420K+ Services are found on the https://t.co/ysWb28BTvF yearly. 🔗Hunter Link:https://t.co/fhG5begTAR 👇Query HUNTER : https://t.co/q9rtuGfZuz="Zimbra" FOFA : product="zimbra-Mail-System"…

    @HunterMapping

    10 Feb 2025

    4413 Impressions

    32 Retweets

    83 Likes

    33 Bookmarks

    0 Replies

    0 Quotes

  19. 🚨Alert🚨 CVE-2025-25064 (CVSS 9.8): Critical SQL Injection Bug in Zimbra Collaboration 📊 420K+ Services are found on the https://t.co/ysWb28BTvF yearly. 🔗Hunter Link:https://t.co/fhG5begTAR👇Query HUNTER : https://t.co/q9rtuGfZuz="Zimbra" FOFA : product="zimbra-Mail-System"… h

    @HunterMapping

    10 Feb 2025

    116 Impressions

    0 Retweets

    1 Like

    1 Bookmark

    0 Replies

    0 Quotes

  20. Zimbra Collaborationに重大(Critical)な脆弱性。CVE-2025-25064はCVSSスコア9.8で、ZimbraSync ServiceのSOAPエンドポイントにおけるSQLインジェクション。任意SQLクエリの実行によりメールのメタデータ窃取が可能。 https://t.co/dHjr6Pom4v

    @__kokumoto

    10 Feb 2025

    281 Impressions

    1 Retweet

    0 Likes

    1 Bookmark

    0 Replies

    0 Quotes

  21. CVE-2025-25064 (CVSS 9.8): Critical SQL Injection Bug in Zimbra Collaboration https://t.co/MsQCX4Yna2

    @Dinosn

    10 Feb 2025

    1995 Impressions

    4 Retweets

    9 Likes

    3 Bookmarks

    0 Replies

    0 Quotes

  22. CVE-2025-25064 SQL injection vulnerability in the ZimbraSyncService SOAP endpoint in Zimbra Collaboration 10.0.x before 10.0.12 and 10.1.x before 10.1.4. https://t.co/zeoVSKZWtq

    @CVEnew

    3 Feb 2025

    319 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

References