FKIE_CVE-2025-68721

Vulnerability from fkie_nvd - Published: 2026-02-05 16:15 - Updated: 2026-02-13 15:15
Severity ?
8.1 (High) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
Summary
Axigen Mail Server before 10.5.57 contains an improper access control vulnerability in the WebAdmin interface. A delegated admin account with zero permissions can bypass access control checks and gain unauthorized access to the SSL Certificates management endpoint (page=sslcerts). This allows the attacker to view, download, upload, and delete SSL certificate files, despite lacking the necessary privileges to access the Security & Filtering section.
References
cve@mitre.orghttps://www.axigen.com/knowledgebase/Axigen-WebAdmin-Improper-Access-Control-Vulnerability-CVE-2025-68721-_406.htmlVendor Advisory
cve@mitre.orghttps://www.axigen.com/mail-server/download/Product
134c704f-9b21-4f2e-91b3-4a467353bcc0https://github.com/osmancanvural/CVE-2025-68721
Impacted products
Vendor Product Version
axigen axigen_mail_server *
axigen axigen_mail_server *
To clipboard 

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:axigen:axigen_mail_server:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "7FD23438-2B7F-48CB-9300-2A47F2B96A01",
              "versionEndExcluding": "10.5.57",
              "versionStartIncluding": "10.3.0",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:axigen:axigen_mail_server:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "5FE47CA3-597B-45EE-BCFA-60440CDB5ECB",
              "versionEndExcluding": "10.6.26",
              "versionStartIncluding": "10.6.0",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "Axigen Mail Server before 10.5.57 contains an improper access control vulnerability in the WebAdmin interface. A delegated admin account with zero permissions can bypass access control checks and gain unauthorized access to the SSL Certificates management endpoint (page=sslcerts). This allows the attacker to view, download, upload, and delete SSL certificate files, despite lacking the necessary privileges to access the Security \u0026 Filtering section."
    },
    {
      "lang": "es",
      "value": "Axigen Mail Server antes de 10.5.57 contiene una vulnerabilidad de control de acceso incorrecto en la interfaz WebAdmin. Una cuenta de administrador delegado con cero permisos puede eludir las comprobaciones de control de acceso y obtener acceso no autorizado al punto final de gesti\u00f3n de certificados SSL (page=sslcerts). Esto permite al atacante ver, descargar, cargar y eliminar archivos de certificados SSL, a pesar de carecer de los privilegios necesarios para acceder a la secci\u00f3n de Seguridad y Filtrado."
    }
  ],
  "id": "CVE-2025-68721",
  "lastModified": "2026-02-13T15:15:57.127",
  "metrics": {
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "NONE",
          "baseScore": 8.1,
          "baseSeverity": "HIGH",
          "confidentialityImpact": "HIGH",
          "integrityImpact": "HIGH",
          "privilegesRequired": "LOW",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N",
          "version": "3.1"
        },
        "exploitabilityScore": 2.8,
        "impactScore": 5.2,
        "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
        "type": "Secondary"
      }
    ]
  },
  "published": "2026-02-05T16:15:50.630",
  "references": [
    {
      "source": "cve@mitre.org",
      "tags": [
        "Vendor Advisory"
      ],
      "url": "https://www.axigen.com/knowledgebase/Axigen-WebAdmin-Improper-Access-Control-Vulnerability-CVE-2025-68721-_406.html"
    },
    {
      "source": "cve@mitre.org",
      "tags": [
        "Product"
      ],
      "url": "https://www.axigen.com/mail-server/download/"
    },
    {
      "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
      "url": "https://github.com/osmancanvural/CVE-2025-68721"
    }
  ],
  "sourceIdentifier": "cve@mitre.org",
  "vulnStatus": "Modified",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-284"
        }
      ],
      "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
      "type": "Secondary"
    }
  ]
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.