This vulnerability allows an attacker who can authenticate to the Zimbra Exchange Web Services (EWS) SOAP interface to submit specially crafted XML that includes external entity references. The server’s XML parser resolves these references, resulting in the ability to read files residing on the Zimbra server machine. The impact is the disclosure of potentially sensitive configuration files, credentials, or other internal data, compromising confidentiality. The weakness is characterized as CWE-611, a classic XML External Entity condition. No denial‑of‑service or execution path is noted, so the threat is limited to data exposure. The CVSS base score of 4.3 indicates a low‑to‑moderate severity, reflecting that the requirement for authentication and the nature of the data disclosed keep the risk profile modest compared to higher‑scoring bugs.

The issue affects Zimbra Collaboration Suite releases 10.0 and 10.1. All editions of those major releases that expose the EWS SOAP interface are vulnerable. Administrators should verify whether their deployment is running any of the 10.0.x or 10.1.x branches, as the problem is specific to those major versions.

The exploit requires an authenticated user and the ability to send SOAP requests, meaning the threat vector is realistic within an internal network or for any attacker that has compromised credentials. The EPSS score of less than 1% indicates that active exploitation is currently unlikely; the vulnerability is not listed in the CISA KEV catalog. However, the low explosion probability does not negate the need for remediation, as the data exposed could be valuable. The CVSS score suggests the risk is moderate; combined with the requirement for authentication, its overall danger level is lower than Remote Code Execution bugs but still sufficient to warrant prompt action.