CVE-2025-68645

Synacor Zimbra Collaboration Suite PHP Remote File Inclusion (CVE-2025-68645)

Initial Access Execution Persistence Last updated:

Detects exploitation of CVE-2025-68645, a PHP Remote File Inclusion (RFI) vulnerability in Synacor Zimbra Collaboration Suite (ZCS). CWE-98 class vulnerabilities allow attackers to inject and execute remote PHP files via unsanitized user-controlled input passed to PHP file inclusion functions, enabling arbitrary code execution in the context of the web server process. This vulnerability is listed in the CISA Known Exploited Vulnerabilities catalog.

Vulnerability Intelligence

KEV — Known Exploited

Affected Software

Vendor
Synacor
Product
Zimbra Collaboration Suite (ZCS)

Weakness (CWE)

CWE-98

Timeline

Disclosed
January 22, 2026

CVSS

Unscored
Write-up coming soon

What is CVE-2025-68645 Synacor Zimbra Collaboration Suite PHP Remote File Inclusion (CVE-2025-68645)?

Synacor Zimbra Collaboration Suite PHP Remote File Inclusion (CVE-2025-68645) (CVE-2025-68645) maps to the Initial Access and Execution and Persistence tactics — the adversary is trying to get into your network in MITRE ATT&CK.

This page provides production-ready detection logic for Synacor Zimbra Collaboration Suite PHP Remote File Inclusion (CVE-2025-68645), covering the data sources and telemetry it touches: Microsoft Defender for Endpoint, Microsoft Sentinel, Azure Monitor. The queries below are rated critical severity at medium confidence, and ship for 7 SIEM platforms — KQL, SPL, Elastic, QRadar, Sumo, YARA-L, LogScale.

MITRE ATT&CK

Tactic
Initial Access Execution Persistence
Microsoft Sentinel / Defender
kusto 
union DeviceNetworkEvents, DeviceProcessEvents
| where TimeGenerated > ago(7d)
| where (DeviceName contains "zimbra" or InitiatingProcessCommandLine contains "zimbra" or FolderPath contains "/opt/zimbra")
| where (
    (ActionType == "InboundConnectionAccepted" and RemoteUrl matches regex @"(?i)(https?://[^/]+/.*\.(php|txt|jpg|png|gif)\?.*=https?://|file://|ftp://)")
    or (ProcessCommandLine matches regex @"(?i)(include|require|include_once|require_once)\s*\(.*https?://")
    or (InitiatingProcessCommandLine matches regex @"(?i)curl\s.*-o.*\.php|wget\s.*\.php|fetch.*http")
    or (FolderPath matches regex @"/opt/zimbra/(data/tmp|store|index)/.*\.php$")
)
| project TimeGenerated, DeviceName, ActionType, ProcessCommandLine, InitiatingProcessCommandLine, RemoteUrl, FolderPath, AccountName, RemoteIP
| order by TimeGenerated desc

Detects PHP Remote File Inclusion exploitation attempts against Zimbra ZCS by correlating inbound HTTP requests with RFI-pattern URLs and unexpected PHP file creation in Zimbra data directories.

critical severity medium confidence

Data Sources

Microsoft Defender for Endpoint Microsoft Sentinel Azure Monitor

Required Tables

DeviceNetworkEvents DeviceProcessEvents DeviceFileEvents

False Positives

  • Legitimate administrative scripts using PHP include with local paths that superficially match regex patterns
  • Zimbra automated backup or migration tasks that fetch remote content via curl/wget
  • Security scanners performing vulnerability assessments against Zimbra endpoints
  • Development environments where PHP files are legitimately fetched for testing purposes

Sigma rule & cross-platform mapping

The detection logic for Synacor Zimbra Collaboration Suite PHP Remote File Inclusion (CVE-2025-68645) (CVE-2025-68645) above is provided in a vendor-neutral form so you can deploy it on any SIEM. The same logic is shipped here as native KQL (Microsoft Sentinel / Defender), SPL (Splunk), Elastic (Elastic Security (EQL)), QRadar (IBM QRadar (AQL)), Sumo (Sumo Logic CSE), YARA-L (Google Chronicle / SecOps), LogScale (CrowdStrike LogScale (CQL)) queries. In Sigma terms, this detection targets the following logsource: 

logsource:
  category: process_creation
  product: windows

Browse the community-maintained Sigma rules for this technique:

SigmaHQ rules for CVE-2025-68645 Sigma rules on detection.fyi

Platform-specific guides for CVE-2025-68645

Detect in Microsoft Sentinel (KQL) Detect in Splunk (SPL) Detect in Elastic Security (Elastic) Detect in IBM QRadar (QRadar) Detect in Sumo Logic CSE (Sumo) Detect in Google Chronicle (YARA-L) Detect in CrowdStrike LogScale (LogScale)
Last updated: 2026-06-19 Research depth: standard
References (3)

Testing Methodology

Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1Simulate PHP RFI via HTTP Request Parameter Injection

    Expected signal: Web server access log entry with URL parameter containing http://attacker.lab/malicious.php; network connection attempt from PHP process to attacker.lab:80

  2. Test 2Create Simulated Web Shell in Zimbra Data Directory

    Expected signal: File creation event for /opt/zimbra/data/tmp/lab_test/shell_test_atomic.php; auditd syscall event for open/write by test user

  3. Test 3PHP Process Invoking Remote File Fetch (RFI Simulation)

    Expected signal: Process telemetry showing php binary with command-line containing http:// URL; network connection attempt from php process to 127.0.0.1:9999 (or external IP in real attack)

  4. Test 4Zimbra Config File Access by Non-Zimbra Process (Post-Exploitation Credential Harvest)

    Expected signal: Auditd open/read syscall event on /opt/zimbra/conf/localconfig.xml by non-zimbra UID; file access timestamp update visible in stat output

Unlock Pro Content

Get the full detection package for CVE-2025-68645 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Tactic Hubs

TA0001Initial AccessTA0002ExecutionTA0003Persistence

Related Techniques

T1190Exploit Public-Facing ApplicationT1505.003Web ShellT1059.004Unix ShellT1078Valid Accounts

Same Tactic: Initial Access

Popular Detections