Zimbra security updates: Attackers can read email metadata
Among other things, the Zimbra developers have closed at least one critical gap in the e-mail and groupware solution.
(Image: Day Of Victory Studio/Shutterstock.com)
Admins should update their Zimbra servers to the latest version for security reasons. Updates closed several vulnerabilities. Although there are currently no reports of attacks, the developers advise users to update quickly.
The dangers
In the security section of the Zimbra website, they list several security vulnerabilities, some of which have not yet been assigned a CVE designation. They classify one gap as “critical” and attackers can execute their code as part of an XSS attack. No further details are currently known.
However, details of one “critical” vulnerability (CVE-2025-25064) have already been published. Authenticated attackers can use special requests to exploit the vulnerability. Because user input is not sufficiently checked, attackers can inject their SQL commands at this point to gain access to email metadata.
Another known vulnerability (CVE-2025-25065 “medium”) allows attackers to bend server connections.
Videos by heise
Patches available
To protect systems against the attacks, admins must install the secured versions 9.0.0 Patch 44, 10.0.13 or 10.1.5 .
(des)
