216.73.217.22

CVE-2025-68722

· Published 05/02/2026 16:15 · Modified 05/02/2026 21:15

Labels: CVE-2025-68722 2026-02-05CVE-2025-68722CWE-79[email protected]

Essential information

Published
05/02/2026 16:15
Modified
05/02/2026 21:15
Author
Creator
CVSS
8.8 HIGH (v3.1)
CISA KEV
No
CWE
CVSS vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

CVSS metrics

Description

Axigen Mail Server before 10.5.57 and 10.6.x before 10.6.26 contains a Cross-Site Request Forgery (CSRF) vulnerability in the WebAdmin interface through improper handling of the _s (breadcrumb) parameter. The application accepts state-changing requests via the GET method and automatically processes base64-encoded commands queued in the _s parameter immediately after administrator authentication. Attackers can craft malicious URLs that, when clicked by administrators, execute arbitrary administrative actions upon login without further user interaction, including creating rogue administrator accounts or modifying critical server configurations.

NVD status

Status
Undergoing Analysis — CVE has been marked for Analysis. Normally once in this state the CVE will be analyzed by NVD staff within 24 hours.
Source
[email protected]
NVD
View on NVD

Affected products (CPE)

ProductCPE
axigen / axigen mail server cpe:2.3:a:axigen:axigen_mail_server:<10.5.57:*:*:*:*:*:*:*
axigen / axigen mail server cpe:2.3:a:axigen:axigen_mail_server:10.6.<0-25>:*:*:*:*:*:*:*

References