CVE-2025-25064
HIGHCVSS v3
8.8
HIGH
EPSS Score
36.2%
exploit probability
CISA KEV
No
known exploited
Exploitation
—
SSVC status
Description
SQL injection vulnerability in the ZimbraSync Service SOAP endpoint in Zimbra Collaboration 10.0.x before 10.0.12 and 10.1.x before 10.1.4 due to insufficient sanitization of a user-supplied parameter. Authenticated attackers can exploit this vulnerability by manipulating a specific parameter in the request, allowing them to inject arbitrary SQL queries that could retrieve email metadata.
Technical Details
- Published
- 2/3/2025
Frequently Asked Questions
What is CVE-2025-25064?
SQL injection vulnerability in the ZimbraSync Service SOAP endpoint in Zimbra Collaboration 10.0.x before 10.0.12 and 10.1.x before 10.1.4 due to insufficient sanitization of a user-supplied parameter. Authenticated attackers can exploit this vulnerability by manipulating a specific parameter in the request, allowing them to inject arbitrary SQL queries that could retrieve email metadata.
Is CVE-2025-25064 actively exploited?
Active exploitation of CVE-2025-25064 has not been confirmed. The EPSS score is 36.2%, indicating the estimated probability of exploitation in the next 30 days.
What is the CVSS score for CVE-2025-25064?
CVE-2025-25064 has a CVSS v3 base score of 8.8 (HIGH severity).
Is CVE-2025-25064 affecting your environment?
Use isMalicious to check if any of your IPs or domains are associated with this vulnerability's IOCs.