CVE-2025-68645 Elastic Security · Elastic

Detect Synacor Zimbra Collaboration Suite PHP Remote File Inclusion (CVE-2025-68645) in Elastic Security

Detects exploitation of CVE-2025-68645, a PHP Remote File Inclusion (RFI) vulnerability in Synacor Zimbra Collaboration Suite (ZCS). CWE-98 class vulnerabilities allow attackers to inject and execute remote PHP files via unsanitized user-controlled input passed to PHP file inclusion functions, enabling arbitrary code execution in the context of the web server process. This vulnerability is listed in the CISA Known Exploited Vulnerabilities catalog.

MITRE ATT&CK

Tactic
Initial Access Execution Persistence

Elastic Detection Query

Elastic Security (Elastic)
eql 
sequence by host.name with maxspan=5m
  [network where event.type == "connection" and
   destination.port in (80, 443, 8080, 8443) and
   process.name in ("php", "php-fpm", "php7.4", "php8.0", "php8.1", "php8.2") and
   (
     http.request.referrer : "*=http*" or
     url.query : "*=http*" or
     url.query : "*=ftp://*" or
     url.query : "*=php://input*"
   )]
  [file where event.type == "creation" and
   file.path : "/opt/zimbra/*" and
   file.extension == "php" and
   not file.path : "/opt/zimbra/lib/*" and
   not file.path : "/opt/zimbra/zimlets/*"]
critical severity medium confidence

EQL sequence correlation: first detects PHP process making outbound connections with RFI-pattern URL parameters, then correlates with unexpected PHP file creation in Zimbra directories within a 5-minute window.

Data Sources

Elastic EndpointAuditbeatPacketbeat

Required Tables

logs-endpoint.network-*logs-endpoint.file-*logs-system.syslog-*

False Positives & Tuning

  • Zimbra upgrade scripts that create PHP files in data directories as part of patching
  • Custom Zimlet deployments writing PHP files to non-standard paths
  • PHP-FPM health checks that incidentally create temporary files
  • Monitoring agents instrumenting Zimbra PHP processes for performance metrics

Other platforms for CVE-2025-68645

Microsoft Sentinel (KQL) Splunk (SPL) IBM QRadar (QRadar) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1Simulate PHP RFI via HTTP Request Parameter Injection

    Expected signal: Web server access log entry with URL parameter containing http://attacker.lab/malicious.php; network connection attempt from PHP process to attacker.lab:80

  2. Test 2Create Simulated Web Shell in Zimbra Data Directory

    Expected signal: File creation event for /opt/zimbra/data/tmp/lab_test/shell_test_atomic.php; auditd syscall event for open/write by test user

  3. Test 3PHP Process Invoking Remote File Fetch (RFI Simulation)

    Expected signal: Process telemetry showing php binary with command-line containing http:// URL; network connection attempt from php process to 127.0.0.1:9999 (or external IP in real attack)

  4. Test 4Zimbra Config File Access by Non-Zimbra Process (Post-Exploitation Credential Harvest)

    Expected signal: Auditd open/read syscall event on /opt/zimbra/conf/localconfig.xml by non-zimbra UID; file access timestamp update visible in stat output

Last updated: 2026-06-19 Research depth: standard
References (3)

Unlock Pro Content

Get the full detection package for CVE-2025-68645 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Tactic Hubs

TA0001Initial AccessTA0002ExecutionTA0003Persistence

Related Techniques

T1190Exploit Public-Facing ApplicationT1505.003Web ShellT1059.004Unix ShellT1078Valid Accounts

Same Tactic: Initial Access

Popular Detections