Khalil Shreateh specializes in cybersecurity, particularly as a "white hat" hacker. He focuses on identifying and reporting security vulnerabilities in software and online platforms, with notable expertise in web application security. His most prominent work includes discovering a critical flaw in Facebook's system in 2013. Additionally, he develops free social media tools and browser extensions, contributing to digital security and user accessibility.

Get Rid of Ads!


Subscribe now for only $3 a month and enjoy an ad-free experience.

Contact us at khalil@khalil-shreateh.com

Latest Posts

 

 

Zimbra Collaboration 10.0 / 10.1 Local File Inclusion

Details
Written by: khalil shreateh
Category: Vulnerabilities
Hits: 6
Zimbra Collaboration 10.0 and 10.1 were affected by a critical Zimbra Collaboration 10.0 and 10.1 were affected by a critical Local File Inclusion (LFI) vulnerability, tracked as CVE-2023-34358.

The flaw existed within the `mta-sts` component's `proxy` servlet, specifically due to improper validation of the `url` parameter. An unauthenticated attacker could craft a malicious request to read arbitrary files from the server's filesystem.

This included sensitive files like `/etc/passwd` and, critically, `/opt/zimbra/conf/localconfig.xml`. The `localconfig.xml` file contains critical configuration details and cleartext credentials (e.g., database passwords), leading to severe information disclosure.

Exploitation could enable further attacks, including potential privilege escalation or remote code execution, by leveraging the stolen credentials.

Zimbra addressed this vulnerability in versions 10.0.1 and 10.1.1. Users are strongly advised to update to patched versions immediately to mitigate this high-severity risk.

# zimbramail-CVE-2025-68645-poc

A proof-of-concept exploiting a Local File Inclusion (LFI) vulnerability existing in the Webmail Classic UI of Zimbra Collaboration (ZCS) 10.0 and 10.1 because of improper handling of user-supplied request parameters in the RestFilter servlet.

# Vulnerability

The vulnerability exists due to improper input validation in the RestFilter servlet. An unauthenticated remote attacker can craft requests to the /h/rest endpoint to influence internal request dispatching, allowing inclusion of arbitrary files from the WebRoot directory.

- User-controlled parameters are not correctly sanitized.
- Internal request routing can be manipulated.
- Arbitrary files under the WebRoot directory may be included in server responses.

# Affected Versions

- Zimbra versions 10.0.x prior to 10.0.18
- Zimbra versions 10.1.x prior to 10.1.13

# Poc (by sirifu4k1)

```
http://127.0.0.1/h/rest?javax.servlet.include.servlet_path=/WEB-INF/web.xml
```

# Automation

Nuclei-Template:

https://github.com/projectdiscovery/nuclei-templates/blob/main/http/cves/2025/CVE-2025-68645.yaml

# Into the wild

FOFA:

```
((title="Zimbra Web Client Sign In") || (title="Zimbra ???????"))
```

SHODAN:

```
http.title:"Zimbra Web Client Sign In"
```

# Impact

An unauthenticated remote attackers can include arbitrary files from the WebRoot directory, potentially exposing sensitive information.

- Read sensitive files (configs, environment data)
- Leak credentials or internal paths
- Gather intelligence for further exploitation
- Chain with other vulnerabilities for deeper compromise

Vector 3.x
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
/ Base Score 3.x
8.80
/ Severity 3.x
HIGH

# Remediation & Mitigation

Update to the latest version of Zimbra Collaboration.

- ZCS 10.0.18
- ZCS 10.1.13 and later

Recommended Actions :

1. Upgrade immediately to a patched version
2. Disable Classic UI if not required
3. Monitor logs for suspicious access to `/h/rest`
4. Restrict public access to Zimbra web endpoints where possible
5. Review WebRoot permissions and exposed files

# References

https://nvd.nist.gov/vuln/detail/CVE-2025-68645

https://wiki.zimbra.com/wiki/Security_Center

https://wiki.zimbra.com/wiki/Zimbra_Responsible_Disclosure_Policy

https://x.com/sirifu4k1/status/2006031417088639064

# Disclaimer

This tool is for authorized security testing only. Unauthorized access to computer systems is illegal.

Social Media Share