Cyber Resilience

CVE-2025-25198

High

Published: 12 February 2025

Published
12 February 2025
Modified
01 October 2025
KEV Added
Patch
CVSS Score v3.1 7.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:H/A:N
EPSS Score 0.0581 90.7th percentile
Risk Priority 18 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-25198 is a high-severity Open Redirect (CWE-601) vulnerability in Mailcow Mailcow\. Its CVSS base score is 7.1 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 9.3% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-15 (Information Output Filtering).

Deeper analysis

mailcow: dockerized, an open source groupware and email suite, is affected by an open redirect vulnerability in its password reset functionality prior to version 2025-01a. The flaw allows manipulation of the Host HTTP header during reset requests, causing the generated link to point to an arbitrary domain instead of the legitimate mailcow instance. The issue is tracked as CWE-601 with a CVSS 3.1 score of 7.1.

An unauthenticated attacker can supply a crafted Host header to produce a poisoned password reset email. If a legitimate user follows the link, the attacker can capture the reset token and complete account takeover. The attack requires user interaction but no other privileges on the target system.

The GitHub Security Advisory for GHSA-3mvx-qw4r-fcqf states that version 2025-01a contains the fix. As a workaround, administrators can disable the password reset feature entirely by clearing the Notification email sender and Notification email subject fields under System -> Configuration -> Options -> Password Settings.

EPSS remains low, with a current score of 0.0581 and a peak of 0.0584.

EU & UK References

Vulnerability details

mailcow: dockerized is an open source groupware/email suite based on docker. Prior to version 2025-01a, a vulnerability in mailcow's password reset functionality allows an attacker to manipulate the `Host HTTP` header to generate a password reset link pointing to an…

more

attacker-controlled domain. This can lead to account takeover if a user clicks the poisoned link. Version 2025-01a contains a patch. As a workaround, deactivate the password reset functionality by clearing `Notification email sender` and `Notification email subject` under System -> Configuration -> Options -> Password Settings.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1078 Valid Accounts Stealth
Adversaries may obtain and abuse credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion.
Why these techniques?

The vulnerability in the public-facing mailcow application (password reset Host header manipulation) directly enables exploitation of the app for account takeover via poisoned reset links, mapping to T1190 and subsequent use of valid accounts (T1078).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2025-53909Same product: Mailcow Mailcow\
CVE-2025-50067Shared CWE-601
CVE-2026-0508Shared CWE-601
CVE-2026-40961Shared CWE-601
CVE-2026-0573Shared CWE-601
CVE-2026-40905Shared CWE-601
CVE-2026-7504Shared CWE-601
CVE-2026-29067Shared CWE-601
CVE-2026-28512Shared CWE-601
CVE-2026-6795Shared CWE-601

Affected Assets

mailcow
mailcow\
_dockerized

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Validates HTTP Host header inputs in password reset requests to prevent generation of links pointing to attacker-controlled domains.

prevent

Filters generated password reset URLs in email outputs to ensure they only reference trusted domains, blocking poisoned links.

prevent

Remediates the flaw in mailcow's password reset functionality by applying the patch released in version 2025-01a.

References