CVE-2025-54390

Vulnerability

Overview

A Cross-Site Request Forgery (CSRF) vulnerability exists in the ResetPasswordRequest operation of Zimbra Collaboration (ZCS) when the zimbraFeatureResetPasswordStatus attribute is enabled. The root cause is a lack of CSRF token validation on this endpoint, allowing an attacker to craft a malicious SOAP request that resets the victim's password without their knowledge or consent [1].

Exploitation

An attacker can exploit this vulnerability by tricking an authenticated Zimbra user into visiting a specially crafted webpage. This page silently sends a forged SOAP request to the Zimbra server, triggering a password reset. No additional authentication is required beyond the victim's active session, as the request is processed as if initiated by the legitimate user [1].

Impact

Successful exploitation allows the attacker to reset the victim's password, effectively gaining control of the user's account. This can lead to unauthorized access to emails, contacts, and other sensitive data stored in Zimbra Collaboration [1].

Mitigation

Zimbra has addressed this issue in ZCS 10.1.13 and 10.0.18, released on November 6, 2025, which include fixes for missing CSRF enforcement in specific authentication flows [1]. Users are strongly advised to upgrade to these or later versions. No workaround is mentioned in the available references.