CVE-2025-25064

Name of the Vulnerable Software and Affected Versions Zimbra Collaboration versions 10.0.x through 10.0.11 Zimbra Collaboration versions 10.1.x through 10.1.3

Description The issue is related to a SQL injection vulnerability in the ZimbraSync Service SOAP endpoint due to insufficient sanitization of a user-supplied parameter. Authenticated attackers can exploit this vulnerability by manipulating a specific parameter in the request, allowing them to inject arbitrary SQL queries that could retrieve email metadata. It is estimated that over 420,000 services are potentially affected.

Recommendations Zimbra Collaboration versions 10.0.x through 10.0.11: Update to version 10.0.12 or later to resolve the issue. Zimbra Collaboration versions 10.1.x through 10.1.3: Update to version 10.1.4 or later to resolve the issue. As a temporary workaround, consider restricting access to the ZimbraSync Service SOAP endpoint until a patch is applied.