CVE-2025-59028

Medium

Published: 27 March 2026

Published

27 March 2026

Modified

30 April 2026

KEV Added

—

Patch

—

CVSS Score 5.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

EPSS Score 0.0005 16.5th percentile

Risk Priority 11 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-59028 is a medium-severity Improper Input Validation (CWE-20) vulnerability in Dovecot Dovecot. Its CVSS base score is 5.3 (Medium).

Operationally, exploitation aligns with the MITRE ATT&CK technique Application or System Exploitation (T1499.004); ranked at the 16.5th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SC-5 (Denial-of-service Protection) and SI-10 (Information Input Validation).

Threat & Defense at a Glance

What attackers do: exploitation maps to Application or System Exploitation (T1499.004). What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-10 Information Input Validation good match

prevent

Directly validates invalid base64-encoded SASL inputs to prevent the login process disconnection and failure of active authentication sessions.

SI-2 Flaw Remediation good match

prevent

Ensures timely patching of the Dovecot flaw via installation of the fixed version to remediate the improper input validation vulnerability.

SC-5 Denial-of-service Protection good match

prevent

Limits the effects of network-based DoS attacks that exploit invalid SASL data to disrupt concurrent logins and server availability.

MITRE ATT&CK Enterprise TechniquesAI

T1499.004 Application or System Exploitation Impact

Adversaries may exploit software vulnerabilities that can cause an application or system to crash and deny availability to users.

attack.mitre.org →

Why these techniques?

CVE enables application exploitation leading to service DoS via crafted SASL input, directly matching T1499.004.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

NVD Description

When sending invalid base64 SASL data, login process is disconnected from the auth server, causing all active authentication sessions to fail. Invalid BASE64 data can be used to DoS a vulnerable server to break concurrent logins. Install fixed version or…

disable concurrency in login processes (heavy perfomance penalty on large deployments). No publicly available exploits are known.

Deeper analysisAI

CVE-2025-59028 is a denial-of-service vulnerability in Dovecot's login process. It occurs when invalid base64-encoded SASL data is sent, causing the login process to disconnect from the authentication server and fail all active authentication sessions. This affects Dovecot servers that support concurrent logins via SASL authentication, with a CVSS v3.1 base score of 5.3 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L) and is associated with CWE-20 (Improper Input Validation).

An unauthenticated attacker over the network can exploit this vulnerability by sending crafted invalid BASE64 data during a login attempt. This disrupts the login process, terminating all ongoing authentication sessions and preventing concurrent logins, effectively enabling a DoS condition that impacts server availability for legitimate users.

The advisory recommends installing the fixed version of Dovecot or disabling concurrency in login processes as a workaround, though the latter incurs a heavy performance penalty on large deployments. Details are available in the Open-Xchange Dovecot security advisory at https://documentation.open-xchange.com/dovecot/security/advisories/csaf/2026/oxdc-adv-2026-0001.json. No publicly available exploits are known.