CVE-2025-68722

  1. OpenCVE
  2. Vulnerabilities (CVE)
  3. CVE-2025-68722
Axigen Mail Server before 10.5.57 and 10.6.x before 10.6.26 contains a Cross-Site Request Forgery (CSRF) vulnerability in the WebAdmin interface through improper handling of the _s (breadcrumb) parameter. The application accepts state-changing requests via the GET method and automatically processes base64-encoded commands queued in the _s parameter immediately after administrator authentication. Attackers can craft malicious URLs that, when clicked by administrators, execute arbitrary administrative actions upon login without further user interaction, including creating rogue administrator accounts or modifying critical server configurations.

8.8 /10

CVSS v3 : HIGH

V3 Legend

Vector :

Exploitability : 2.8 / Impact : 5.9

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction REQUIRED

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

References
Link Resource
https://www.axigen.com/knowledgebase/Axigen-WebAdmin-CSRF-Vulnerability-CVE-2025-68722-_407.html Vendor Advisory
https://www.axigen.com/mail-server/download/ Product
https://github.com/osmancanvural/CVE-2025-68722 Exploit Vendor Advisory
Configurations

Configuration 1 (hide)

OR cpe:2.3:a:axigen:axigen_mail_server:*:*:*:*:*:*:*:*
cpe:2.3:a:axigen:axigen_mail_server:*:*:*:*:*:*:*:*
History

24 Feb 2026, 18:14

Type Values Removed Values Added
Summary
  • (es) Axigen Mail Server antes de 10.5.57 y 10.6.x antes de 10.6.26 contiene una vulnerabilidad de falsificación de petición en sitios cruzados (CSRF) en la interfaz WebAdmin debido a un manejo inadecuado del parámetro _s (breadcrumb). La aplicación acepta peticiones que cambian el estado a través del método GET y procesa automáticamente comandos codificados en base64 en cola en el parámetro _s inmediatamente después de la autenticación del administrador. Los atacantes pueden crear URL maliciosas que, cuando son clicadas por administradores, ejecutan acciones administrativas arbitrarias al iniciar sesión sin interacción adicional del usuario, incluyendo la creación de cuentas de administrador maliciosas o la modificación de configuraciones críticas del servidor.
References () https://github.com/osmancanvural/CVE-2025-68722 - () https://github.com/osmancanvural/CVE-2025-68722 - Exploit, Vendor Advisory

13 Feb 2026, 15:15

Type Values Removed Values Added
References
  • () https://github.com/osmancanvural/CVE-2025-68722 -

10 Feb 2026, 15:16

Type Values Removed Values Added
CVSS v2 : unknown
v3 : 6.8 		v2 : unknown
v3 : 8.8

10 Feb 2026, 14:46

Type Values Removed Values Added
CPE cpe:2.3:a:axigen:axigen_mail_server:*:*:*:*:*:*:*:*
References () https://www.axigen.com/knowledgebase/Axigen-WebAdmin-CSRF-Vulnerability-CVE-2025-68722-_407.html - () https://www.axigen.com/knowledgebase/Axigen-WebAdmin-CSRF-Vulnerability-CVE-2025-68722-_407.html - Vendor Advisory
References () https://www.axigen.com/mail-server/download/ - () https://www.axigen.com/mail-server/download/ - Product
First Time Axigen axigen Mail Server
Axigen

09 Feb 2026, 22:16

Type Values Removed Values Added
CVSS v2 : unknown
v3 : 8.8 		v2 : unknown
v3 : 6.8
CWE CWE-79 CWE-352

05 Feb 2026, 21:15

Type Values Removed Values Added
CVSS v2 : unknown
v3 : unknown 		v2 : unknown
v3 : 8.8
CWE CWE-79

05 Feb 2026, 16:15

Type Values Removed Values Added
New CVE
Information

Published : 2026-02-05 16:15

Updated : 2026-02-24 18:14

NVD link : CVE-2025-68722

Mitre link : CVE-2025-68722

CVE.ORG link : CVE-2025-68722

JSON object : View

Products Affected

axigen

  • axigen_mail_server
CWE
CWE-352

Cross-Site Request Forgery (CSRF)