—–BEGIN PGP SIGNED MESSAGE—–

Hash: SHA256

Multiple Vulnerabilities in Zimbra Daffodil 

Indian – Computer Emergency Response Team (https://www.cert-in.org.in)

Severity Rating: HIGH

Software Affected

Zimbra Daffodil versions prior to 10.0.18

Zimbra Daffodil versions prior to 10.1.13

Overview

Multiple vulnerabilities have been reported in Zimbra Daffodil. Successful exploitation of these vulnerabilities could allow a remote attacker to gain access to sensitive information and affected services.

Target Audience:

Organizations and individuals using the affected versions of Zimbra Daffodil.

Risk Assessment:

High risk of unauthorized access, information disclosure and compromise of Zimbra Daffodil services.

Impact Assessment:

Unauthorized access to sensitive information, privilege escalation, service disruption, and compromise of user accounts.

Description

These vulnerabilities exist in Zimbra Daffodil due to improper input validation, file inclusion and hardcoded credential related issues.

A remote attacker could exploit these vulnerabilities by sending specially crafted requests. Successful exploitation may allow the attacker to include arbitrary files, execute cross-site scripting and gain access to credentials on the targeted system.

Solution

Apply appropriate updates as mentioned as mentioned by the Vendor:

https://wiki.zimbra.com/wiki/Zimbra_Releases/10.0.18#Security_Fixes

https://wiki.zimbra.com/wiki/Zimbra_Releases/10.1.13#Security_Fixes

Vendor Information

Zimbra

https://wiki.zimbra.com/wiki/Zimbra_Security_Advisories

References

Zimbra

https://wiki.zimbra.com/wiki/Zimbra_Releases/10.0.18#Security_Fixes

https://wiki.zimbra.com/wiki/Zimbra_Releases/10.1.13#Security_Fixes

CVE Name

CVE-2025-66376

CVE-2025-67809

CVE-2025-68645

– —

Thanks and Regards,

CERT-In

Incident Response Help Desk

e-mail: incident@cert-in.org.in

Phone: +91-11-22902657

Toll Free Number: 1800-11-4949

Toll Free Fax : 1800-11-6969

Web: http://www.cert-in.org.in

PGP Fingerprint: A768 083E 4475 5725 B81A A379 2156 C0C0 B620 D0B4

PGP Key information:

https://www.cert-in.org.in/s2cMainServlet?pageid=CONTACTUS

Postal address:

Indian Computer Emergency Response Team (CERT-In)

Ministry of Electronics and Information Technology

Government of India

Electronics Niketan

6, C.G.O. Complex

New Delhi-110 003

—–BEGIN PGP SIGNATURE—–

iQIzBAEBCAAdFiEE6r4Iam/Ey0c/KakL3jCgcSdcys8FAmmCBPwACgkQ3jCgcSdc

ys/tbBAAh/WPq93LMohzLAd3onmRLTNxsBB7+wiPayOEAhFzUB59iyz67lAckce0

T+IA/1p+xB+sy+sTsj3FjRkQBt8NheMKinPLrwOOFeG2EhuC0lV/VMCYrqPBRwjQ

IamiLHH+dNpm24VAgMaTaPELxmY4M/MveJUR27fvHcTVY0YcgbkvJIq9VIESI93S

Irh6wEU3X7dzmxv+yuHVv+I0lLgB2F54akRGYlt9s8C3neQGlJ6HtCRFGEChn9Mw

9UNXHMUoFcI3XKiRJLOrqasYgwCbBIGOwiPrnF4fFhxmEOB+6n6NBp891QWYloQ2

SH7tDgUQGS62ByC0QBEyf5XpagbxPXr3sDv5i+hJbaoRD+y4Z8mRdB+pv9cdnMKQ

firdPazd1Va4nusSUZfl3w0Hab3dw1b3+RTVFCIFPmkivGf3uH5a/qU7M5GuG6OV

z0kuHJbFTq8hiLAeBmquKGek5V+dfXiYUS/mYofYfcELekHAOPTk8CAaCQaprspG

135ZMbvrq/NSxsfz/qhuqR2DIqYGObbpgDON5nCR9gnu6L8621O6B8FotZxnNeVq

inWZE9SZzgtCjOq4gne3aEphpYzQS5fHcV1aPNH5aCo47EEcVVhMkRGx5piHjqMV

K6m2NdMhv49S8UKPYpbqsSkqen/mMSvS5EdmTuXIBlijxA+FFzg=

=RmCC

—–END PGP SIGNATURE—–