Threats / Synacor / CVE-2025-68645
CVE-2025-68645
· EUVD no mirror located
· GCVE no mirror located
Verified 2026-06-22
Synacor Zimbra Collaboration Suite (ZCS) vulnerability
Synacor Zimbra Collaboration Suite contains a PHP remote file inclusion vulnerability in the /h/rest endpoint that allows attackers to include arbitrary files from the WebRoot directory.
Verdict
Today item — known-exploited.
Remote attackers can exploit improper request dispatching in ZCS to include and execute arbitrary files accessible within the web root, potentially leading to information disclosure or code execution depending on available file contents.
01
Is it exploitable?
— the evidence, ranked above the scoreExploit available
Fully weaponized — public exploit code is cataloged for this vulnerability.We link the existence of the exploit; we do not host or redistribute payloads.
Reported exploitation
81 independent public reports of in-the-wild exploitation are cataloged.Distinct reporting sources (vendor, incident response, government); open them for the underlying claims.
Exploited in the wild
Listed in the CISA Known Exploited Vulnerabilities catalog (added 2026-01-22).
Probability (EPSS)
EPSS 0.31769 — modeled likelihood of exploitation activity.EPSS is a daily-changing model output — open the source for today's value.
Severity / affected
Affected: Synacor, Zimbra Collaboration Suite (ZCS). Confirm exact fixed builds in the vendor advisory.
Weakness (CWE)
Mapped to CWE-98 PHP File Inclusion — weakness family: Injection.CWE assignment from the public NVD record; the weakness class drives how the flaw is exploited.
02
Who’s exploiting it?
— attribution turns risk into urgencyAttribution not established
No confirmed (advisory-backed) threat-actor attribution is established for this record. Absence of a named actor is not absence of compromise — see Coverage & confidence.
03
Why it matters
— the attack path, told twice: adversary, then board1
Front door — unauthenticated access narrative 1
Attacker
I craft a malicious request to the /h/rest endpoint with path traversal or file inclusion parameters.
Business
Unauthorized file access exposes sensitive configuration files, credentials, or application source code stored in the web root.
2
Keys to the kingdom — privilege/identity takeover narrative 2
Attacker
I include PHP files or other executable content from the WebRoot directory through the vulnerable endpoint.
Business
Arbitrary code execution on the server compromises the entire Zimbra infrastructure and all hosted user data.
3
Lateral reach — past segmentation narrative 3
Attacker
I leverage included files to escalate privileges or pivot to backend systems and databases.
Business
Complete compromise of email services, user communications, and organizational data integrity.
04
What to do
— defensible action- Remediate per the vendor advisory — confirm the fixed build for your version and verify exposure.1
Say it to the boardA vulnerability with this evidence profile is a defensible budget line, not a backlog ticket — fund the change against the proof above.
05