A high-severity Local File Inclusion (LFI) vulnerability has been identified in the Webmail Classic UI of Zimbra Collaboration Suite (ZCS) 10. This flaw allows a remote, unauthenticated attacker to read sensitive files from the underlying server, potentially leading to the exposure of credentials, configuration data, and private user information. Immediate patching is required to prevent potential data breaches and further system compromise.

This vulnerability is a Local File Inclusion (LFI) within the Webmail Classic UI component of Zimbra Collaboration Suite. It stems from the application's failure to properly sanitize user-supplied input used in file path operations. A remote, unauthenticated attacker can exploit this by crafting a malicious HTTP request containing path traversal sequences (e.g., ../../..). By manipulating the input, the attacker can navigate outside of the intended web root directory and access arbitrary files on the server's file system, limited only by the permissions of the web server's user account.

This is a High severity vulnerability with a CVSS score of 8.8, posing a significant risk to the confidentiality and integrity of organizational data. Successful exploitation could lead to a severe data breach, exposing sensitive emails, user credentials, and proprietary company information stored on the server. An attacker could also retrieve system configuration files, API keys, and database credentials, which could be leveraged to pivot deeper into the corporate network, leading to a wider compromise. The potential consequences include regulatory fines, reputational damage, and significant operational disruption.

Immediate Action: Apply the security updates provided by the vendor to all affected Zimbra Collaboration Suite instances immediately. Prioritize patching for internet-facing servers. After patching, it is crucial to monitor for any signs of exploitation attempts by reviewing web server and application access logs for suspicious requests made prior to the patch deployment.

Proactive Monitoring: Security teams should actively monitor web server access logs for requests targeting the Webmail Classic UI that contain path traversal patterns such as ../, ..%2f, %2e%2e/, and other variants. Implement alerts for unusual file access patterns on the Zimbra server, particularly attempts to access sensitive system files like /etc/passwd, configuration files, or private keys by the web server process.

Compensating Controls: If immediate patching is not feasible, implement a Web Application Firewall (WAF) with rules specifically designed to detect and block LFI and path traversal attacks. Additionally, consider restricting access to the Zimbra web interface to only trusted IP address ranges. Ensure the web server process is running with the lowest possible privileges to limit the scope of files an attacker can access.

Public Exploit Available: false

Immediate and decisive action is required to address this critical vulnerability. Given the high CVSS score of 8.8 and the risk of unauthenticated remote data exposure, all organizations using the affected version of Zimbra Collaboration Suite must prioritize the deployment of the vendor-supplied security updates. Although this vulnerability is not currently listed on the CISA Known Exploited Vulnerabilities (KEV) catalog, its severity makes it a prime candidate for future inclusion. If patching cannot be performed immediately, the compensating controls outlined above must be implemented as a temporary measure while preparing for an expedited patch cycle.