CVE-2025-68722
Published: 05 February 2026
Summary
CVE-2025-68722 is a high-severity CSRF (CWE-352) vulnerability in Axigen Axigen Mail Server. Its CVSS base score is 8.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 15.3th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SC-23 (Session Authenticity) and SI-10 (Information Input Validation).
Deeper analysis
CVE-2025-68722 is a Cross-Site Request Forgery (CSRF) vulnerability, classified under CWE-352, affecting the WebAdmin interface in Axigen Mail Server versions before 10.5.57 and 10.6.x before 10.6.26. The flaw stems from improper handling of the _s (breadcrumb) parameter, where the application accepts state-changing requests via the GET method and automatically processes base64-encoded commands queued in this parameter immediately after administrator authentication. This enables seamless execution of administrative commands without additional user interaction.
Unauthenticated attackers (PR:N) can exploit this vulnerability over the network (AV:N) with low complexity (AC:L) by crafting malicious URLs that administrators might click, such as in phishing emails or compromised sites. Upon the administrator logging into the WebAdmin interface, the queued commands execute automatically, allowing attackers to perform arbitrary administrative actions. Potential impacts include creating rogue administrator accounts or modifying critical server configurations, with high confidentiality, integrity, and availability effects (C:H/I:H/A:H), earning a CVSS v3.1 base score of 8.8. User interaction is required (UI:R), typically via tricking the admin into accessing the URL post-authentication.
The vendor has addressed the issue in Axigen Mail Server 10.5.57 and 10.6.26; security practitioners should update affected installations immediately. Additional details are available in the Axigen knowledgebase advisory at https://www.axigen.com/knowledgebase/Axigen-WebAdmin-CSRF-Vulnerability-CVE-2025-68722-_407.html, patches via the download page at https://www.axigen.com/mail-server/download/, and a proof-of-concept in the GitHub repository at https://github.com/osmancanvural/CVE-2025-68722.
OWASP Top 10 for Web (2025)
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-206825
Vulnerability details
Axigen Mail Server before 10.5.57 and 10.6.x before 10.6.26 contains a Cross-Site Request Forgery (CSRF) vulnerability in the WebAdmin interface through improper handling of the _s (breadcrumb) parameter. The application accepts state-changing requests via the GET method and automatically processes…
more
base64-encoded commands queued in the _s parameter immediately after administrator authentication. Attackers can craft malicious URLs that, when clicked by administrators, execute arbitrary administrative actions upon login without further user interaction, including creating rogue administrator accounts or modifying critical server configurations.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
CSRF in public-facing WebAdmin directly enables exploitation of the mail server application for arbitrary admin command execution.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly validates and sanitizes the _s breadcrumb parameter to block malicious base64-encoded commands in state-changing GET requests.
Enforces session authenticity mechanisms like anti-CSRF tokens to prevent forged cross-site requests exploiting the WebAdmin interface post-authentication.
Mandates timely flaw remediation by applying vendor patches for this specific CSRF vulnerability in affected Axigen versions.