Zimbra - LFI (CVE-2025-68645)

CVE-2025-68645 is a Local File Inclusion (LFI) vulnerability in the Webmail Classic UI of Zimbra Collaboration (ZCS) versions 10.0 and 10.1, stemming from improper input handling in the RestFilter servlet. This flaw allows unauthenticated remote attackers to exploit the /h/rest endpoint to include arbitrary files from the WebRoot directory, potentially leading to information disclosure, remote code execution, or further compromise of the affected system.

CrowdSec has been tracking this vulnerability and its exploits since 14th of January 2026.

Data from the CrowdSec community indicates that exploitation of CVE-2025-68645 is highly selective and intelligence-driven. Threat actors use advanced reconnaissance and carefully choose their targets, often as part of sophisticated campaigns or advanced persistent threat operations. Additionally, according to week-over-week analysis by CrowdSec, exploitation of CVE-2025-68645 is surging. Attack volumes are spiking well above historical norms, indicating widespread and escalating interest from threat actors. CVE-2025-68645 is currently experiencing high visibility and active exploitation across the internet.

Attackers exploit the /h/rest endpoint by supplying the javax.servlet.include.servlet_path parameter to include sensitive files such as /WEB-INF/web.xml, enabling local file inclusion attacks against Zimbra Collaboration servers.