CVE-2025-68721

{"id": "CVE-2025-68721", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 8.1, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}, "impactScore": 5.2, "exploitabilityScore": 2.8}]}, "published": "2026-02-05T16:15:50.630", "references": [{"url": "https://www.axigen.com/knowledgebase/Axigen-WebAdmin-Improper-Access-Control-Vulnerability-CVE-2025-68721-_406.html", "tags": ["Vendor Advisory"], "source": "cve@mitre.org"}, {"url": "https://www.axigen.com/mail-server/download/", "tags": ["Product"], "source": "cve@mitre.org"}, {"url": "https://github.com/osmancanvural/CVE-2025-68721", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0"}], "vulnStatus": "Modified", "weaknesses": [{"type": "Secondary", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "description": [{"lang": "en", "value": "CWE-284"}]}], "descriptions": [{"lang": "en", "value": "Axigen Mail Server before 10.5.57 contains an improper access control vulnerability in the WebAdmin interface. A delegated admin account with zero permissions can bypass access control checks and gain unauthorized access to the SSL Certificates management endpoint (page=sslcerts). This allows the attacker to view, download, upload, and delete SSL certificate files, despite lacking the necessary privileges to access the Security & Filtering section."}, {"lang": "es", "value": "Axigen Mail Server antes de 10.5.57 contiene una vulnerabilidad de control de acceso incorrecto en la interfaz WebAdmin. Una cuenta de administrador delegado con cero permisos puede eludir las comprobaciones de control de acceso y obtener acceso no autorizado al punto final de gesti\u00f3n de certificados SSL (page=sslcerts). Esto permite al atacante ver, descargar, cargar y eliminar archivos de certificados SSL, a pesar de carecer de los privilegios necesarios para acceder a la secci\u00f3n de Seguridad y Filtrado."}], "lastModified": "2026-02-13T15:15:57.127", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:axigen:axigen_mail_server:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "7FD23438-2B7F-48CB-9300-2A47F2B96A01", "versionEndExcluding": "10.5.57", "versionStartIncluding": "10.3.0"}, {"criteria": "cpe:2.3:a:axigen:axigen_mail_server:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "5FE47CA3-597B-45EE-BCFA-60440CDB5ECB", "versionEndExcluding": "10.6.26", "versionStartIncluding": "10.6.0"}], "operator": "OR"}]}], "sourceIdentifier": "cve@mitre.org"}