CVE-2025-68722
CSRF in Axigen WebAdmin Enables Unauthorized Administrative Actions
Publication date: 2026-02-05
Last updated on: 2026-02-24
Assigner: MITRE
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| axigen | axigen_mail_server | From 10.3.0 (inc) to 10.5.57 (exc) |
| axigen | axigen_mail_server | From 10.6.0 (inc) to 10.6.26 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-79 | The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. |
| CWE-352 | The web application does not, or cannot, sufficiently verify whether a request was intentionally provided by the user who sent the request, which could have originated from an unauthorized actor. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
[{'type': 'paragraph', 'content': "CVE-2025-68722 is a Cross-Site Request Forgery (CSRF) vulnerability in the Axigen Mail Server's WebAdmin interface versions before 10.5.57 and 10.6.26. The vulnerability occurs because the WebAdmin interface accepts state-changing requests via the HTTP GET method and automatically processes base64-encoded commands contained in the _s (breadcrumb) parameter immediately after an administrator logs in."}, {'type': 'paragraph', 'content': 'Attackers can craft malicious URLs embedding these commands in the _s parameter. When an administrator clicks such a link and authenticates, the queued commands execute without any further confirmation or user interaction. This allows attackers to perform arbitrary administrative actions such as creating rogue administrator accounts or modifying critical server configurations.'}] [1]
How can this vulnerability impact me? :
[{'type': 'paragraph', 'content': "This vulnerability can have severe impacts because it allows attackers to execute arbitrary administrative actions on the Axigen Mail Server without the administrator's knowledge."}, {'type': 'list_item', 'content': 'Creation of rogue administrator accounts, giving attackers persistent and unauthorized access.'}, {'type': 'list_item', 'content': 'Modification of critical server configurations, potentially weakening security or disrupting mail services.'}, {'type': 'list_item', 'content': 'Changing security settings that could expose the server to further attacks.'}, {'type': 'list_item', 'content': "Overall, exploitation can lead to full compromise of the mail server's administrative functions."}] [1]
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
[{'type': 'paragraph', 'content': 'Detection of this vulnerability involves monitoring for suspicious HTTP GET requests to the Axigen WebAdmin interface that include the _s parameter containing base64-encoded commands. Such requests may indicate attempts to exploit the CSRF vulnerability by queuing malicious administrative actions.'}, {'type': 'paragraph', 'content': "You can inspect web server logs or network traffic for URLs targeting the WebAdmin interface with the _s parameter. For example, using command-line tools like grep to search logs for '_s=' in URLs can help identify potential exploit attempts."}, {'type': 'list_item', 'content': "grep '_s=' /var/log/httpd/access_log"}, {'type': 'list_item', 'content': "tcpdump -A -s 0 'tcp port 80 or tcp port 443' | grep '_s='"}, {'type': 'paragraph', 'content': 'Additionally, decoding the base64 content of the _s parameter from suspicious requests can reveal the administrative commands being executed.'}] [1]
What immediate steps should I take to mitigate this vulnerability?
The primary and recommended mitigation is to update the Axigen Mail Server WebAdmin interface to a fixed version: 10.5.57 or later for the 10.5.x branch, or 10.6.26 or later for the 10.6.x branch.
Until the update can be applied, administrators should avoid clicking on untrusted or suspicious links that may contain malicious _s parameters, especially in emails, support tickets, or other communication channels.
Implementing network-level protections such as web application firewalls (WAF) to block suspicious requests containing the _s parameter with base64-encoded payloads can also help reduce risk.