Detect Synacor Zimbra Collaboration Suite PHP Remote File Inclusion (CVE-2025-68645) in Google Chronicle
Detects exploitation of CVE-2025-68645, a PHP Remote File Inclusion (RFI) vulnerability in Synacor Zimbra Collaboration Suite (ZCS). CWE-98 class vulnerabilities allow attackers to inject and execute remote PHP files via unsanitized user-controlled input passed to PHP file inclusion functions, enabling arbitrary code execution in the context of the web server process. This vulnerability is listed in the CISA Known Exploited Vulnerabilities catalog.
MITRE ATT&CK
- Tactic
- Initial Access Execution Persistence
YARA-L Detection Query
rule zimbra_rfi_cve_2025_68645 {
meta:
author = "df00tech"
description = "Detects PHP RFI exploitation in Zimbra ZCS (CVE-2025-68645)"
severity = "CRITICAL"
priority = "HIGH"
reference = "https://nvd.nist.gov/vuln/detail/CVE-2025-68645"
events:
(
$e.metadata.event_type = "NETWORK_HTTP"
and (
re.regex($e.network.http.request_url, `(?i)[?&][a-zA-Z_]+=https?://`)
or re.regex($e.network.http.request_url, `(?i)[?&][a-zA-Z_]+=php://input`)
or re.regex($e.network.http.request_url, `(?i)[?&][a-zA-Z_]+=ftp://`)
)
and (
re.regex($e.target.hostname, `(?i)zimbra`)
or re.regex($e.target.url, `(?i)/zimbra/`)
or re.regex($e.target.url, `(?i)/service/`)
)
)
or
(
$e.metadata.event_type = "FILE_CREATION"
and re.regex($e.target.file.full_path, `/opt/zimbra/(data/tmp|store|index)/.*\.php$`)
)
or
(
$e.metadata.event_type = "PROCESS_LAUNCH"
and re.regex($e.target.process.command_line, `(?i)(include|require|include_once|require_once).*https?://`)
and re.regex($e.principal.process.file.full_path, `(?i)php`)
)
condition:
$e
}Chronicle YARA-L rule detecting Zimbra ZCS PHP RFI exploitation via HTTP request URL parameter injection, unexpected PHP file creation in Zimbra data paths, and PHP process command-line RFI invocations.
Data Sources
Required Tables
False Positives & Tuning
- Legitimate Zimbra web service calls where URL-encoded callback parameters superficially match RFI patterns
- Zimbra REST API integrations passing remote resource URIs as query parameters
- PHP-based Zimbra extensions that legitimately create PHP files during installation
- Security tooling performing RFI vulnerability scanning against authorized Zimbra instances
Other platforms for CVE-2025-68645
Testing Methodology
Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Simulate PHP RFI via HTTP Request Parameter Injection
Expected signal: Web server access log entry with URL parameter containing http://attacker.lab/malicious.php; network connection attempt from PHP process to attacker.lab:80
- Test 2Create Simulated Web Shell in Zimbra Data Directory
Expected signal: File creation event for /opt/zimbra/data/tmp/lab_test/shell_test_atomic.php; auditd syscall event for open/write by test user
- Test 3PHP Process Invoking Remote File Fetch (RFI Simulation)
Expected signal: Process telemetry showing php binary with command-line containing http:// URL; network connection attempt from php process to 127.0.0.1:9999 (or external IP in real attack)
- Test 4Zimbra Config File Access by Non-Zimbra Process (Post-Exploitation Credential Harvest)
Expected signal: Auditd open/read syscall event on /opt/zimbra/conf/localconfig.xml by non-zimbra UID; file access timestamp update visible in stat output
Unlock Pro Content
Get the full detection package for CVE-2025-68645 including response playbook, investigation guide, and atomic red team tests.