Cyber Resilience

CVE-2025-53909

Critical

Published: 17 July 2025

Published
17 July 2025
Modified
11 September 2025
KEV Added
Patch
CVSS Score v3.1 9.1 CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H
EPSS Score 0.0068 72.1th percentile
Risk Priority 19 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-53909 is a critical-severity Improper Neutralization of Special Elements Used in a Template Engine (CWE-1336) vulnerability in Mailcow Mailcow\. Its CVSS base score is 9.1 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 27.9% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2025-53909 is a Server-Side Template Injection (SSTI) vulnerability, classified under CWE-1336, affecting the notification template system in mailcow: dockerized, an open-source groupware and email suite based on Docker. The flaw exists in versions prior to 2025-07 and impacts the rendering engine used for sending quota and quarantine alerts, where template expressions can be abused to execute arbitrary code in certain contexts.

Exploitation requires admin-level access to the mailcow UI to configure malicious templates, which are then automatically rendered during normal system operations such as alert notifications. A threat actor with such privileges can inject harmful template expressions, leading to remote code execution with high confidentiality, integrity, and availability impacts, as reflected in the CVSS v3.1 base score of 9.1 (AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H).

The mailcow project has addressed the issue in version 2025-07 with a patch, detailed in the commit at https://github.com/mailcow/mailcow-dockerized/commit/8c5f6c03214a4b2bdbf3c78932f860eee949012b and the security advisory at https://github.com/mailcow/mailcow-dockerized/security/advisories/GHSA-8p7g-6cjj-wr9m. Security practitioners should upgrade to the patched version and review admin access controls to mitigate risks from compromised privileged accounts.

EU & UK References

Vulnerability details

mailcow: dockerized is an open source groupware/email suite based on docker. A Server-Side Template Injection (SSTI) vulnerability exists in versions prior to 2025-07 in the notification template system used by mailcow for sending quota and quarantine alerts. The template rendering…

more

engine allows template expressions that may be abused to execute code in certain contexts. The issue requires admin-level access to mailcow UI to configure templates, which are automatically rendered during normal system operation. Version 2025-07 contains a patch for the issue.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

SSTI vulnerability directly enables remote code execution by exploiting the web application's template rendering engine (T1190: Exploit Public-Facing Application).

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2025-25198Same product: Mailcow Mailcow\
CVE-2026-21448Shared CWE-1336
CVE-2026-34587Shared CWE-1336
CVE-2026-9558Shared CWE-1336
CVE-2025-49828Shared CWE-1336
CVE-2025-59340Shared CWE-1336
CVE-2025-69516Shared CWE-1336
CVE-2026-26938Shared CWE-1336
CVE-2026-21450Shared CWE-1336
CVE-2024-54954Shared CWE-1336

Affected Assets

mailcow
mailcow\
_dockerized

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly mitigates SSTI vulnerability by enforcing input validation on admin-configured template expressions in the notification rendering engine.

prevent

Ensures timely remediation of the specific SSTI flaw through patching to version 2025-07, preventing exploitation during template rendering.

prevent

Limits exploitation by restricting admin-level UI access required to inject malicious templates, reducing the attack surface from privileged accounts.

References