CVE-2025-25064

Summary

CVE-2025-25064 is a SQL injection vulnerability affecting the ZimbraSync Service SOAP endpoint in outdated versions of Zimbra Collaboration, specifically 10.0.x before 10.0.12 and 10.1.x before 10.1.4. This issue arises due to insufficient sanitization of a user-supplied parameter, enabling authenticated attackers to inject malicious SQL queries. Successful exploitation allows attackers to retrieve sensitive email metadata, posing a significant risk to organizations using these vulnerable versions. It is highly recommended for users to upgrade to the latest Zimbra Collaboration patch to mitigate this vulnerability.

Prevent cyber attacks with Recorded Future by prioritizing and patching critical vulnerabilities being exploited by threat actors targeting your industry. Book your demo to learn more.