Mastodon

Security alert CVE-2025-25064: Stormshield Products Response

Published on: 20 02 2025

Author: Stormshield Customer Security Lab

3 minutes

A critical vulnerability impacting Zimbra Collaboration has been reported. It has been assigned the reference CVE-2025-25064 and a CVSS 3.1 score of 9.8.

It should be noted that proofs of concept of this CVE-2025-25064 are publicly available. The following versions are impacted:

  • Zimbra Collection 10.0.11 and inferior;
  • Zimbra Collection 10.1.3 and inferior.

 

Initial vector attack of the Zimbra vulnerability

The vulnerability allows an unauthenticated attacker to inject some arbitrary SQL queries.

 

Technical details of the Zimbra vulnerability

The vulnerability lies in the ZimbraSync Service SOAP. The /CancelPendingAccountOnlyRemoteWipeRequest endpoint doesn’t properly sanitize some user input contents. This leads to some SQL injection

 

Attack modelling with MITRE ATT&CK

MITRE ATT&CK

  • T1190 (Exploit Public-Facing Application)
  • T1659 Content Injection

 

How to protect against the Zimbra vulnerability with Stormshield Network Security

Protection against CVE-2025-25064

Stormshield Network Security (SNS) firewalls detect and block exploitation of CVE-2025-25064 with the following IPS signatures:

  • http:client:data:17 : SQL injection Prevention - POST : suspicious SELECT statement in data
  • http:client:data:18 : SQL injection Prevention - POST : suspicious UPDATE statement in data
  • http:client:data:19 : SQL injection Prevention - POST : suspicious DROP statement in data
  • http:client:data:20 : SQL injection Prevention - POST : suspicious CREATE statement in data
  • http:client:data:21 : SQL injection Prevention - POST : possible version probing in data
  • http:client:data:22 : SQL injection Prevention - POST : suspicious OR statement in data
  • http:client:data:23 : SQL injection Prevention - POST : suspicious UNION statement in data
  • http:client:data:24 : SQL injection Prevention - POST : suspicious EXEC statement in data
  • http:client:data:25 : SQL injection Prevention - POST : suspicious OPENROWSET statement in data
  • http:client:data:26 : SQL injection Prevention - POST : suspicious OPENQUERY statement in data
  • http:client:data:27 : SQL injection Prevention - POST : suspicious HAVING statement in data
  • http:client:data:29 : SQL injection Prevention - POST : suspicious INSERT statement in data
  • http:client:data:33 : SQL injection Prevention - POST : suspicious DECLARE statement in data
  • http:client:data:34 : SQL injection Prevention - POST : suspicious CAST statement in data
  • http:client:data:95 : SQL injection Prevention - GET : suspicious SELECT statement in URL
  • http:client:data:96 : SQL injection Prevention - GET : suspicious UPDATE statement in URL
  • http:client:data:97 : SQL injection Prevention - GET : suspicious DROP statement in URL
  • http:client:data:98 : SQL injection Prevention - GET : suspicious CREATE statement in URL
  • http:client:data:99 : SQL injection Prevention - GET : possible database version probing
  • http:client:data:100 : SQL injection Prevention - GET : suspicious OR statement in URL
  • http:client:data:101 : SQL injection Prevention - GET : suspicious UNION statement in URL
  • http:client:data:102 : SQL injection Prevention - GET : suspicious EXEC statement in URL
  • http:client:data:103 : SQL injection Prevention - GET : suspicious OPENROWSET statement in URL
  • http:client:data:104 : SQL injection Prevention - GET : suspicious OPENQUERY statement in URL
  • http:client:data:105 : SQL injection Prevention - GET : suspicious combination of 'OR' or 'AND' statements in URL
  • http:client:data:126 : SQL injection Prevention - GET : suspicious shutdown statement in URL
  • http:client:data:163 : SQL injection Prevention - GET : suspicious INSERT statement in URL
  • http:client:data:183 : SQL injection Prevention - GET : suspicious DECLARE statement in URL
  • http:client:data:184 : SQL injection Prevention - GET : suspicious CAST statement in URL
  • http:client:data:342 : SQL injection Prevention - GET : suspicious SQL keywords in URL
  • http:client:data:432 : SQL injection Prevention - GET : suspicious parameter in an URL parameter

For those protections to be efficient, the traffic must be decrypted.

Confidence index for the protection offered by Stormshield

Confidence index for the absence of false positives

Recommandations regarding the Zimbra vulnerability

It is therefore strongly recommended to update your Zimbra software to the following versions:

  • 0.12 or higher ;
  • 1.4 or higher.
Tags :

Share on

[juiz_sps buttons="facebook, twitter, linkedin, mail"]
Need more information about Stormshield protection? The Technical Support teams are at your disposal to help you. Contact them through the incident manager located in the MyStormshield private area. To access it, select the menu "Technical Support / Report an incident / Track an incident".
Stormshield's Cyber Threat Intelligence team has two primary missions: to study cyber threats to understand them and to continuously improve Stormshield product protections. All with the goal of contributing to the cybersecurity community's effort to address cyber threats.
About the author
mm
Stormshield Customer Security Lab
Last articles

See all articles from Alert

Read more