## https://sploitus.com/exploit?id=3527530F-9964-5163-99A8-5F0C2C7D1BE7
# CVE-2025-68645 โ Zimbra Classic UI LFI (Defender Pack)
This repository is a **defender-focused** reference pack for **CVE-2025-68645**, a Local File Inclusion (LFI) issue in
**Zimbra Collaboration (ZCS) 10.0.x and 10.1.x Classic Webmail UI** caused by improper handling of user-controlled
request parameters in the `RestFilter` servlet.
## What this repo contains (safe)
- **Detection** content (Sigma + Splunk) for suspicious requests involving `javax.servlet.include.servlet_path`
- **Mitigation** snippets (WAF / reverse proxy blocks) you can adapt
- **IOC patterns** and quick triage notes
- A concise **advisory** you can share internally
> โ ๏ธ This repo intentionally **does not include exploit code, weaponized proof-of-concepts, or targeting guidance**.
## Affected versions
- ZCS **10.0 < 10.0.18**
- ZCS **10.1 < 10.1.13**
## References
- NVD: CVE-2025-68645
- CISA KEV catalog entry (Known Exploited Vulnerabilities)
## Suggested response actions
1. Patch/upgrade to a fixed release.
2. Reduce exposure: restrict or block the vulnerable endpoint from untrusted networks.
3. Hunt for exploitation attempts in web/proxy logs (see `detection/`).
4. Review for post-exploitation indicators (unexpected webroot changes, new files, suspicious processes, etc.).
## Disclaimer
This content is provided for **defensive security** purposes only.