CVE-2025-68645HIGH 8.8CISA KEVEPSS p98.1%

CVE-2025-68645Synacor Zimbra Collaboration Suite (ZCS) PHP Remote File Inclusion Vulnerability

Synacor / Zimbra Collaboration Suite (ZCS)

Description

Synacor Zimbra Collaboration Suite (ZCS) contains a PHP remote file inclusion vulnerability that could allow for remote attackers to craft requests to the /h/rest endpoint to influence internal request dispatching, allowing inclusion of arbitrary files from the WebRoot directory.

Scoring

CVSS 3.18.8 (HIGH)
VectorCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
EPSS31.77% probability of exploitation · percentile 98.1% · 2026-06-18T12:00:27Z
Published2025-12-22
Last modified2026-01-23

CISA KEV entry

Added to KEV: 2026-01-22

Underlying weaknesses· 1

CWE-98

References

  1. https://wiki.zimbra.com/wiki/Security_Center
  2. https://wiki.zimbra.com/wiki/Zimbra_Responsible_Disclosure_Policy
  3. https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-68645

1

TypeTargetConfidenceTier
WeaknessImproper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion')cwe-980%live

(incoming)1

TypeTargetConfidenceTier
KEVEntrySynacor Zimbra Collaboration Suite (ZCS) PHP Remote File Inclusion Vulnerabilitykev-cve-2025-686450%live

Related by meaning· 6

Nearest entities by semantic similarity across the cs-graph corpus.

CVE
Synacor Zimbra Collaboration Suite (ZCS) Cross-site Scripting Vulnerability
CVE
Synacor Zimbra Collaboration Suite (ZCS) Cross-Site Scripting (XSS) Vulnerability
CVE
Synacor Zimbra Collaboration Suite (ZCS) Arbitrary File Upload Vulnerability
CVE
Synacor Zimbra Collaboration Suite (ZCS) Authentication Bypass Vulnerability
CVE
Synacor Zimbra Collaboration Suite (ZCS) Server-Side Request Forgery (SSRF) Vulnerability
CVE
Synacor Zimbra Collaborate Suite (ZCS) Cross-Site Scripting Vulnerability
Sourced from NVD + CISA KEV + FIRST.org EPSS. Curated for EU compliance use cases by Adam Lundqvist, Founder at SQUR.