CVE-2025-25064

Published Feb 3, 2025

Last updated 5 days ago

CVSS critical 9.8

Overview

AI description

Generated using AI and has not been reviewed by Intruder. May contain errors.

CVE-2025-25064 is an SQL injection vulnerability found in the ZimbraSync Service SOAP endpoint of Zimbra Collaboration. This vulnerability arises from insufficient sanitization of a user-supplied parameter. An attacker who has authenticated to the system can manipulate this parameter to inject arbitrary SQL queries. This manipulation could allow the attacker to retrieve email metadata. Zimbra Collaboration versions 10.0.x before 10.0.12 and 10.1.x before 10.1.4 are affected. Zimbra has addressed this vulnerability and released patches. Users of affected versions are strongly encouraged to update their installations to version 10.0.12 or 10.1.4, respectively, to mitigate the risk. This information is current as of February 10, 2025.

Description
SQL injection vulnerability in the ZimbraSync Service SOAP endpoint in Zimbra Collaboration 10.0.x before 10.0.12 and 10.1.x before 10.1.4 due to insufficient sanitization of a user-supplied parameter. Authenticated attackers can exploit this vulnerability by manipulating a specific parameter in the request, allowing them to inject arbitrary SQL queries that could retrieve email metadata.
Source
cve@mitre.org
NVD status
Awaiting Analysis

Risk scores

CVSS 3.1

Type
Secondary
Base score
9.8
Impact score
5.9
Exploitability score
3.9
Vector string
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Severity
CRITICAL

Weaknesses

134c704f-9b21-4f2e-91b3-4a467353bcc0
CWE-89

Social media

Hype score is a measure of social media activity compared against trending CVEs from the past 12 months. Max score 100.

Hype score

8

  1. چندین آسیب پذیری مختلف برای میل سرور Zimbra منتشر شده .اولین آسیب پذیری دارای کد شناسایی CVE-2025-25064 و از نوع Sqlinjection ، آسیب پذیری دوم دارای کد شناسایی CVE-2025-25065 از نوع SSRF و آسیب پذیری سوم با کد شناسایی CVE-2024-45516 از نوع XSS می باشند. https://t.co/Poz3aKY03t

    @AmirHossein_sec

    11 Feb 2025

    14 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  2. CVE-2025-25064 is marked as having no authentication requirements in the cvss score, but the description literally say its authenticated. CISA-ADP had to be smoking something crazy https://t.co/GS6KEIuQAV

    @PsExec64

    10 Feb 2025

    25 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  3. Zimbra Releases Security Updates for SQL Injection, Stored XSS, and SSRF Vulnerabilities. The vulnerability, tracked as CVE-2025-25064, carries a CVSS score of 9.8 out of a maximum of 10.0. It has been described as an SQL injection bug. https://t.co/5bXdpkia0s https://t.co/KxvyLu

    @riskigy

    10 Feb 2025

    46 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  4. CVE-2025-25064 (CVSS 9.8) - Severe SQL Injection Vulnerability in Zimbra Collaboration https://t.co/WaoeRHJMp1 #zimbra #cyber #cybsersecurity #BusinessGrowth #business #Infosec #IT #security #internet

    @VAPTernInc

    10 Feb 2025

    15 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  5. Zimbra Collaboration faces critical vulnerabilities (CVE-2025-25064, CVSS 9.8) allowing SQL injection and unauthorized access. Users should update to protect sensitive data. 🚨💻 #Zimbra #SQLInjection #USA link: https://t.co/ZoN8mysHX1 https://t.co/wf1eo65ny7

    @TweetThreatNews

    10 Feb 2025

    55 Impressions

    1 Retweet

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  6. CVE-2025-25064 impacts Zimbra with SQL Injection #Zimbra #CVE-2025-25064 https://t.co/luQfiUM6MK

    @pravin_karthik

    10 Feb 2025

    55 Impressions

    0 Retweets

    1 Like

    0 Bookmarks

    0 Replies

    0 Quotes

  7. Zimbra has rolled out critical updates addressing SQL injection (CVE-2025-25064) and stored XSS vulnerabilities, alongside a medium-severity SSRF flaw. Users encouraged to upgrade for enhanced security. 🔒 #Zimbra #InformationSecurity link: https://t.co/bGgzJjatFx https://t.co/B

    @TweetThreatNews

    10 Feb 2025

    25 Impressions

    0 Retweets

    1 Like

    0 Bookmarks

    0 Replies

    0 Quotes

  8. ⚠️⚠️ CVE-2025-25064 (CVSS 9.8): Critical SQL Injection Bug in Zimbra Collaboration 🎯519+ Results are found on the https://t.co/pb16tGYaKe nearly year. 🔗FOFA Link:https://t.co/iLr73S1Vwg FOFA Query:app="Zimbra-Collaboration-Suite" 🔖Refer:https://t.co/9zm7G9VHpy #OSINT… htt

    @fofabot

    10 Feb 2025

    1206 Impressions

    6 Retweets

    14 Likes

    6 Bookmarks

    0 Replies

    0 Quotes

  9. Zimbra's latest patch addresses three new vulnerabilities: • SQL Injection (CVE-2025-25064) exposing email metadata to authenticated attackers. • XSS vulnerability in the Classic Web Client, risking user security. • SSRF flaw (CVE-2025-25065) allowi... https://t.co/Mj11lfJarc

    @IT_news_for_all

    10 Feb 2025

    0 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  10. Zimbra's latest patch addresses three new vulnerabilities: • SQL Injection (CVE-2025-25064) exposing email metadata to authenticated attackers. • XSS vulnerability in the Classic Web Client, risking user security. • SSRF flaw (CVE-2025-25065) allowing unauthorized redirection… h

    @TheHackersNews

    10 Feb 2025

    11685 Impressions

    21 Retweets

    50 Likes

    5 Bookmarks

    3 Replies

    3 Quotes

  11. CVE-2025-25064, -25065: Two vulnerabilities in Zimbra, 5.3 - 9.8 rating 🔥 Vulns include SQLi and SSRF, which could potentially lead to RCE. Search at https://t.co/hv7QKSqxTR: 👉 Link: https://t.co/ETW5EAdP0f #cybersecurity #vulnerability_map https://t.co/zOWzsRsJBk https://t

    @Netlas_io

    10 Feb 2025

    1131 Impressions

    2 Retweets

    18 Likes

    4 Bookmarks

    0 Replies

    0 Quotes

  12. 🚨Alert🚨 CVE-2025-25064 (CVSS 9.8): Critical SQL Injection Bug in Zimbra Collaboration 📊 420K+ Services are found on the https://t.co/ysWb28BTvF yearly. 🔗Hunter Link:https://t.co/fhG5begTAR 👇Query HUNTER : https://t.co/q9rtuGfZuz="Zimbra" FOFA : product="zimbra-Mail-System"…

    @HunterMapping

    10 Feb 2025

    4413 Impressions

    32 Retweets

    83 Likes

    33 Bookmarks

    0 Replies

    0 Quotes

  13. 🚨Alert🚨 CVE-2025-25064 (CVSS 9.8): Critical SQL Injection Bug in Zimbra Collaboration 📊 420K+ Services are found on the https://t.co/ysWb28BTvF yearly. 🔗Hunter Link:https://t.co/fhG5begTAR👇Query HUNTER : https://t.co/q9rtuGfZuz="Zimbra" FOFA : product="zimbra-Mail-System"… h

    @HunterMapping

    10 Feb 2025

    116 Impressions

    0 Retweets

    1 Like

    1 Bookmark

    0 Replies

    0 Quotes

  14. Zimbra Collaborationに重大(Critical)な脆弱性。CVE-2025-25064はCVSSスコア9.8で、ZimbraSync ServiceのSOAPエンドポイントにおけるSQLインジェクション。任意SQLクエリの実行によりメールのメタデータ窃取が可能。 https://t.co/dHjr6Pom4v

    @__kokumoto

    10 Feb 2025

    281 Impressions

    1 Retweet

    0 Likes

    1 Bookmark

    0 Replies

    0 Quotes

  15. CVE-2025-25064 (CVSS 9.8): Critical SQL Injection Bug in Zimbra Collaboration https://t.co/MsQCX4Yna2

    @Dinosn

    10 Feb 2025

    1995 Impressions

    4 Retweets

    9 Likes

    3 Bookmarks

    0 Replies

    0 Quotes

  16. CVE-2025-25064 SQL injection vulnerability in the ZimbraSyncService SOAP endpoint in Zimbra Collaboration 10.0.x before 10.0.12 and 10.1.x before 10.1.4. https://t.co/zeoVSKZWtq

    @CVEnew

    3 Feb 2025

    319 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

References