CVE-2025-59032

High

Published: 27 March 2026

Published

27 March 2026

Modified

30 April 2026

KEV Added

—

Patch

—

CVSS Score 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

EPSS Score 0.0006 18.7th percentile

Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-59032 is a high-severity Improper Input Validation (CWE-20) vulnerability in Dovecot Dovecot. Its CVSS base score is 7.5 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Application or System Exploitation (T1499.004); ranked at the 18.7th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 CM-7 (Least Functionality) and SC-7 (Boundary Protection).

Threat & Defense at a Glance

What attackers do: exploitation maps to Application or System Exploitation (T1499.004). What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match

prevent

Directly remediates the improper input validation flaw in Dovecot's ManageSieve AUTHENTICATE command by requiring timely patching to the fixed version.

CM-7 Least Functionality good match

prevent

Eliminates exposure to the vulnerability by prohibiting or restricting the unnecessary ManageSieve service and port.

SC-7 Boundary Protection good match

prevent

Prevents unauthenticated remote access to the vulnerable ManageSieve port through boundary protection mechanisms like firewalls.

MITRE ATT&CK Enterprise TechniquesAI

T1499.004 Application or System Exploitation Impact

Adversaries may exploit software vulnerabilities that can cause an application or system to crash and deny availability to users.

attack.mitre.org →

Why these techniques?

The unauthenticated remote crash via crafted AUTHENTICATE input directly enables application exploitation for endpoint denial of service (T1499.004).

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

NVD Description

ManageSieve AUTHENTICATE command crashes when using literal as SASL initial response. This can be used to crash ManageSieve service repeatedly, making it unavailable for other users. Control access to ManageSieve port, or disable the service if it's not needed. Alternatively…

upgrade to a fixed version. No publicly available exploits are known.

Deeper analysisAI

CVE-2025-59032 is a denial-of-service vulnerability in the ManageSieve service of Dovecot, where the AUTHENTICATE command crashes upon receiving a literal as the SASL initial response. This flaw, associated with CWE-20 (Improper Input Validation), affects Dovecot installations exposing the ManageSieve port, which is used for managing Sieve scripts in email filtering. The issue received a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H), highlighting its high severity due to the potential for remote disruption without authentication.

Unauthenticated remote attackers can exploit this vulnerability by sending a specially crafted AUTHENTICATE command with a literal SASL initial response, causing the ManageSieve service to crash. Repeated exploitation enables sustained denial-of-service, rendering the service unavailable to legitimate users and potentially impacting email filtering operations dependent on Sieve scripts.

The Open-Xchange Dovecot security advisory recommends mitigating the vulnerability by controlling access to the ManageSieve port, disabling the service if not required, or upgrading to a patched version of Dovecot. No publicly available exploits are known at this time.