The CrowdSec Network has detected a notable inflow of signals exploitation attempts targeting Zimbra Collaboration (acquired by Synacor in 2015). This wave is driven by two distinct vulnerabilities: a newly weaponized Local File Inclusion (LFI) flaw (CVE-2025-68645) and a persistent Cross-Site Scripting (XSS) vulnerability (CVE-2022-27926).
Key findings
- Exploitation Spike: On January 28, 2026, we observed a massive spike in activity targeting these two vulnerabilities, reaching 5 times the regular levels with over 1,000 distinct IPs detected in a single day.
- CVE-2025-68645 (LFI): Published in late December 2025. CrowdSec released a detection rule on January 14, 2026.
- Geographic Sources: In the last 7 days, the majority of attacking IPs originated from the United States (975 distinct IPs), followed by Canada (209) and Ireland (201). France, the UK, Germany, and Russia followed with significantly lower volumes.
- CVE-2022-27926 (XSS): Despite being from 2022, this vulnerability remains a favorite among attackers, with 58 malicious IPs reported, indicating sustained interest in compromising webmail sessions.
- Other Active Threats: We are also detecting ongoing exploitation of CVE-2022-37042 (Authentication Bypass) and CVE-2022-27925 (Remote Code Execution), confirming that attackers are throwing every available exploit at Zimbra instances.
What is Zimbra Collaboration?
Zimbra Collaboration (formerly Zimbra Collaboration Suite or ZCS) is a widely used enterprise software package that includes an email server and a web client. It provides email, calendar, and collaboration features similar to Microsoft Exchange.
Who uses it: IT administrators, government agencies, educational institutions, and enterprises relying on open-core collaboration tools.
Why it matters: Compromising a Zimbra server often grants attackers access to sensitive internal communications, credentials, and potentially the entire organizational network.
How do these exploits work?
CVE-2025-68645: The New Threat (LFI)
This critical (CVSS 8.8) vulnerability allows unauthenticated remote attackers to read sensitive files from the Zimbra server.
- Mechanism: The flaw exists in the
/h/restendpoint. Attackers manipulate thejavax.servlet.include.servlet_pathparameter to bypass checks and include arbitrary files from the WebRoot directory. - Impact: Attackers can read configuration files containing credentials or system details, potentially escalating to Remote Code Execution (RCE).
- Researcher Credit: This vulnerability was highlighted by security researchers analyzing recent patch diffs.
CVE-2022-27926: The Old Ghost (XSS)
This Medium (CVSS 6.1) vulnerability is a Reflected Cross-Site Scripting flaw.
- Mechanism: It targets the
/public/launchNewWindow.jspcomponent. Attackers send a crafted link to a victim; if clicked, malicious JavaScript executes in the victim’s browser session. - Impact: Theft of session cookies, reliable redirection to phishing sites, or performing actions on behalf of the victim (e.g., forwarding emails).
Trend analysis
The simultaneous rise in both vulnerabilities paints a concerning picture. CVE-2025-68645 is following the classic “new exploit lifecycle”: a slow start followed by a sharp uptick as Proof-of-Concept code becomes widely available.
The opportunistic nature of the scans suggests threat actors are racing to identify vulnerable servers before they are patched. CVE-2022-27926, conversely, represents “zombie” activity; attackers know many organizations lag in patching older flaws, making it a reliable vector for initial access via phishing campaigns. The resurgence of older vulnerabilities like CVE-2022-37042 and CVE-2022-27925 is often a weak signal that more recent exploits are being prepared or that attackers are testing the waters with known methods before deploying newer, more expensive exploits.
How to protect your systems
- Patching is paramount: Ensure you are running the latest version of Zimbra Collaboration (10.1 or patched 10.0). Check the Zimbra Security Center for specific patch levels.
- Preemptive blocking: CrowdSec detects and blocks these attacks with up-to-date scenarios.
- Stay proactive: Use Crowdsec Intelligence to monitor the IPs targeting Zimbra products closely. Crowdsec offers a wide range of protection for several different products. Check out the Live Exploit Tracker.