BSI: CERT-Bund criticizes many vulnerable Zimbra servers
The BSI's CERT-Bund warns that hundreds of vulnerable Zimbra servers are online in Germany.
(Image: CERT-Bund / Collage heise medien)
Like any other software, the groupware Zimbra regularly has security vulnerabilities that are closed by updated packages. Just this week, a highly risky cross-site scripting vulnerability was made known. However, the CERT-Bund of the Federal Office for Information Security (BSI) criticizes that a large proportion of the approximately 1500 Zimbra servers in Germany are still running an old, vulnerable software version.
Germany's top IT security authority writes: “Exchange servers that are still running outdated and vulnerable versions are - also by us - repeatedly criticized.” With alternatives like Zimbra, the situation is better, but not rosy. “Of the approximately 1500 Zimbra servers known to us in Germany, 40% are currently running a version no longer supported by the manufacturer (10.0 and older) or are still vulnerable to critical vulnerabilities such as CVE-2025-68645.”
Zimbra: Current highly risky security vulnerabilities
The vulnerability mentioned is a file inclusion vulnerability where attackers from the network can send carefully crafted requests to the API endpoint “/h/rest” without logging in, thereby achieving the inclusion of arbitrary files from the webroot directory (CVE-2025-68645, CVSS 8.8, Risk “high”). Zimbra Collaboration (ZCS) 10.0 and 10.1 are affected. Just this week, a stored cross-site scripting vulnerability in the Classic UI also became known, which can be exploited through the “@import” directive in HTML emails (CVE-2025-66376, CVSS 7.2, Risk “high”).
These vulnerabilities also impact Zimbra Collaboration (ZCS) 10.0 and 10.1, with the Zimbra versions 10.0.18 and 10.1.13 from November fixing the security-relevant error. Apparently, only 60 percent of Zimbra servers are at this level, as the BSI now notes. Admins should not hesitate but update to the latest versions quickly.
Videos by heise
The BSI has been regularly complaining about outdated Exchange servers for many years. Most recently, at the end of October, the authority warned that more than 30,000 outdated Exchange servers with no longer supported versions, such as Exchange 2016 and 2019, are still accessible online in Germany.
(dmk)
