CVE 8.8 HIGH

CVE-2025-68722_CVE-2025-68722

February 5, 2026 invoker category_cve

8.8 / 10

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Description

Axigen Mail Server before 10.5.57 and 10.6.x before 10.6.26 contains a Cross-Site Request Forgery (CSRF) vulnerability in the WebAdmin interface through improper handling of the _s (breadcrumb) parameter. The application accepts state-changing requests via the GET method and automatically processes base64-encoded commands queued in the _s parameter immediately after administrator authentication. Attackers can craft malicious URLs that, when clicked by administrators, execute arbitrary administrative actions upon login without further user interaction, including creating rogue administrator accounts or modifying critical server configurations.

AI Analysis

Cross-Site Request Forgery (CSRF) vulnerability in the WebAdmin interface

Basic Information

ID CVE-2025-68722

Source mitre

Published Feb 5, 2026 at 00:00

Modified Feb 5, 2026 at 20:32

Affected Product

Vendor Axigen

Product Axigen Mail Server

Version before 10.5.57, before 10.6.26

Affected Versions n/a n/a n/a

CWE Classification

CWE-79

AI Assessment

AI Score 8.8 / 10

AI Severity High

Vendor Axigen

Product Axigen Mail Server

Version before 10.5.57, before 10.6.26

References

{
    "lastseen": "",
    "description": "Axigen Mail Server before 10.5.57 and 10.6.x before 10.6.26 contains a Cross-Site Request Forgery (CSRF) vulnerability in the WebAdmin interface through improper handling of the _s (breadcrumb) parameter. The application accepts state-changing requests via the GET method and automatically processes base64-encoded commands queued in the _s parameter immediately after administrator authentication. Attackers can craft malicious URLs that, when clicked by administrators, execute arbitrary administrative actions upon login without further user interaction, including creating rogue administrator accounts or modifying critical server configurations.",
    "published": "2026-02-05T00:00:00.000Z",
    "modified": "2026-02-05T20:32:12.669Z",
    "type": "cve",
    "title": "CVE-2025-68722",
    "source": "mitre",
    "references": "https://www.axigen.com/mail-server/download/\nhttps://www.axigen.com/knowledgebase/Axigen-WebAdmin-CSRF-Vulnerability-CVE-2025-68722-_407.html",
    "id": "CVE-2025-68722",
    "bulletinFamily": "",
    "cwe": [
        "CWE-79"
    ],
    "cvelist": null,
    "sourceData": "n/a n/a n/a",
    "sourceHref": "",
    "cvss": {
        "score": 8.8,
        "severity": "HIGH",
        "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
        "version": "3.1"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "Axigen Mail Server",
    "version": "before 10.5.57, before 10.6.26",
    "vendor": "Axigen",
    "ai_description": "Cross-Site Request Forgery (CSRF) vulnerability in the WebAdmin interface",
    "ai_severity": "High",
    "ai_vendor": "Axigen",
    "ai_product": "Axigen Mail Server",
    "ai_version": "before 10.5.57, before 10.6.26",
    "ai_score": 8.8
}

💭 Join the Security Discussion ❌ Cancel Reply