CVE-2025-68721
Unknown Unknown - Not Provided
Improper Access Control in Axigen WebAdmin Enables SSL Certificate Manipulation

Publication date: 2026-02-05

Last updated on: 2026-02-13

Assigner: MITRE

Description
Axigen Mail Server before 10.5.57 contains an improper access control vulnerability in the WebAdmin interface. A delegated admin account with zero permissions can bypass access control checks and gain unauthorized access to the SSL Certificates management endpoint (page=sslcerts). This allows the attacker to view, download, upload, and delete SSL certificate files, despite lacking the necessary privileges to access the Security & Filtering section.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-02-05
Last Modified
2026-02-13
Generated
2026-06-16
AI Q&A
2026-02-05
EPSS Evaluated
2026-06-15
NVD
CVE-2025-68721
EUVD
EUVD-2025-206828
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
axigen axigen_mail_server From 10.3.0 (inc) to 10.5.57 (exc)
axigen axigen_mail_server From 10.6.0 (inc) to 10.6.26 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-284 The product does not restrict or incorrectly restricts access to a resource from an unauthorized actor.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

[{'type': 'paragraph', 'content': "CVE-2025-68721 is an improper access control vulnerability in the Axigen Mail Server's WebAdmin interface affecting versions before 10.5.57. It allows a delegated admin account with zero permissions to bypass access control checks and gain unauthorized access to the SSL Certificates management endpoint."}, {'type': 'paragraph', 'content': 'This means an attacker with such an account can view, download, upload, and delete SSL certificate files without having the necessary privileges to access this sensitive section.'}] [2]

Impact Analysis

Exploiting this vulnerability can have serious impacts including man-in-the-middle attacks, service disruption, domain impersonation, and privilege escalation.

Additionally, attackers can leverage existing cross-site scripting (XSS) vulnerabilities on the SSL Certificates page to target other administrator accounts, potentially leading to full system compromise.

Compliance Impact

I don't know

Detection Guidance

I don't know

Mitigation Strategies

The recommended immediate step to mitigate this vulnerability is to update Axigen WebAdmin to a fixed version.

  • Upgrade to Axigen WebAdmin version 10.5.57 or later if you are using the 10.5.x branch.
  • Upgrade to Axigen WebAdmin version 10.6.26 or later if you are using the 10.6.x branch.

Applying these updates will fix the improper access control vulnerability that allows delegated admin accounts with zero permissions to access and manipulate SSL certificate files.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-68721. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart