The US cybersecurity agency CISA on Thursday urged federal agencies to patch their Zimbra Collaboration Suite instances against a security defect actively exploited in the wild.
Tracked as CVE-2025-68645, the exploited Zimbra vulnerability is described as a local file inclusion (LFI) issue affecting the appliance’s webmail UI.
The bug exists because the RestFilter servlet fails to properly handle user-supplied request parameters, allowing attackers to send crafted requests.
By influencing internal request routing, attackers can include arbitrary files from the WebRoot directory without authentication.
Successful exploitation of the flaw could lead to the disclosure of sensitive information and internal paths, reconnaissance, and further compromise, if chained with other security weaknesses.
Patches for the flaw were released on November 6, 2025, in Zimbra Collaboration Suite versions 10.1.13 and 10.0.18.
On Thursday, CISA added CVE-2025-68645 to its Known Exploited Vulnerabilities (KEV) catalog, without providing details on the observed attacks.
According to CrowdSec, however, threat actors have been abusing the vulnerability in highly targeted attacks, as part of sophisticated, intelligence-driven campaigns.
Exploitation of the security defect has been surging, suggesting widespread interest from threat actors, CrowdSec notes.
In addition to the Zimbra weakness, CISA expanded the KEV list with three other bugs, urging federal agencies to address them within three weeks, as the Binding Operational Directive (BOD) 22-01 mandates.
The issues newly flagged as exploited include CVE-2025-54313, which refers to malicious code included in the eslint-config-prettier package as part of a supply chain attack in July 2025, CVE-2025-31125, an improper access control vulnerability in the Vite frontend development framework, and CVE-2025-34026, an authentication bypass in the Versa Concerto SD-WAN orchestration platform.
While BOD 22-01 applies only to federal agencies, all organizations are advised to review CISA’s KEV catalog and address the security defects it identifies.
Related: Fresh SmarterMail Flaw Exploited for Admin Access
Related: CISA KEV Catalog Expanded 20% in 2025, Topping 1,480 Entries
Related: Critical HPE OneView Vulnerability Exploited in Attacks
