CVE-2025-68722
Unknown Unknown - Not Provided
CSRF in Axigen WebAdmin Enables Unauthorized Administrative Actions

Publication date: 2026-02-05

Last updated on: 2026-02-24

Assigner: MITRE

Description
Axigen Mail Server before 10.5.57 and 10.6.x before 10.6.26 contains a Cross-Site Request Forgery (CSRF) vulnerability in the WebAdmin interface through improper handling of the _s (breadcrumb) parameter. The application accepts state-changing requests via the GET method and automatically processes base64-encoded commands queued in the _s parameter immediately after administrator authentication. Attackers can craft malicious URLs that, when clicked by administrators, execute arbitrary administrative actions upon login without further user interaction, including creating rogue administrator accounts or modifying critical server configurations.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-02-05
Last Modified
2026-02-24
Generated
2026-06-16
AI Q&A
2026-02-05
EPSS Evaluated
2026-06-15
NVD
CVE-2025-68722
EUVD
EUVD-2025-206825
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
axigen axigen_mail_server From 10.3.0 (inc) to 10.5.57 (exc)
axigen axigen_mail_server From 10.6.0 (inc) to 10.6.26 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-79 The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.
CWE-352 The web application does not, or cannot, sufficiently verify whether a request was intentionally provided by the user who sent the request, which could have originated from an unauthorized actor.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

[{'type': 'paragraph', 'content': "CVE-2025-68722 is a Cross-Site Request Forgery (CSRF) vulnerability in the Axigen Mail Server's WebAdmin interface versions before 10.5.57 and 10.6.26. The vulnerability occurs because the WebAdmin interface accepts state-changing requests via the HTTP GET method and automatically processes base64-encoded commands contained in the _s (breadcrumb) parameter immediately after an administrator logs in."}, {'type': 'paragraph', 'content': 'Attackers can craft malicious URLs embedding these commands in the _s parameter. When an administrator clicks such a link and authenticates, the queued commands execute without any further confirmation or user interaction. This allows attackers to perform arbitrary administrative actions such as creating rogue administrator accounts or modifying critical server configurations.'}] [1]

Impact Analysis

[{'type': 'paragraph', 'content': "This vulnerability can have severe impacts because it allows attackers to execute arbitrary administrative actions on the Axigen Mail Server without the administrator's knowledge."}, {'type': 'list_item', 'content': 'Creation of rogue administrator accounts, giving attackers persistent and unauthorized access.'}, {'type': 'list_item', 'content': 'Modification of critical server configurations, potentially weakening security or disrupting mail services.'}, {'type': 'list_item', 'content': 'Changing security settings that could expose the server to further attacks.'}, {'type': 'list_item', 'content': "Overall, exploitation can lead to full compromise of the mail server's administrative functions."}] [1]

Compliance Impact

I don't know

Detection Guidance

[{'type': 'paragraph', 'content': 'Detection of this vulnerability involves monitoring for suspicious HTTP GET requests to the Axigen WebAdmin interface that include the _s parameter containing base64-encoded commands. Such requests may indicate attempts to exploit the CSRF vulnerability by queuing malicious administrative actions.'}, {'type': 'paragraph', 'content': "You can inspect web server logs or network traffic for URLs targeting the WebAdmin interface with the _s parameter. For example, using command-line tools like grep to search logs for '_s=' in URLs can help identify potential exploit attempts."}, {'type': 'list_item', 'content': "grep '_s=' /var/log/httpd/access_log"}, {'type': 'list_item', 'content': "tcpdump -A -s 0 'tcp port 80 or tcp port 443' | grep '_s='"}, {'type': 'paragraph', 'content': 'Additionally, decoding the base64 content of the _s parameter from suspicious requests can reveal the administrative commands being executed.'}] [1]

Mitigation Strategies

The primary and recommended mitigation is to update the Axigen Mail Server WebAdmin interface to a fixed version: 10.5.57 or later for the 10.5.x branch, or 10.6.26 or later for the 10.6.x branch.

Until the update can be applied, administrators should avoid clicking on untrusted or suspicious links that may contain malicious _s parameters, especially in emails, support tickets, or other communication channels.

Implementing network-level protections such as web application firewalls (WAF) to block suspicious requests containing the _s parameter with base64-encoded payloads can also help reduce risk.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-68722. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart