Vulnerability Description
Axigen Mail Server before 10.5.57 and 10.6.x before 10.6.26 contains a Cross-Site Request Forgery (CSRF) vulnerability in the WebAdmin interface through improper handling of the _s (breadcrumb) parameter. The application accepts state-changing requests via the GET method and automatically processes base64-encoded commands queued in the _s parameter immediately after administrator authentication. Attackers can craft malicious URLs that, when clicked by administrators, execute arbitrary administrative actions upon login without further user interaction, including creating rogue administrator accounts or modifying critical server configurations.
CVSS Score
HIGH
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Axigen | Axigen Mail Server | >= 10.3.0, < 10.5.57 |
Related Weaknesses (CWE)
References
- https://www.axigen.com/knowledgebase/Axigen-WebAdmin-CSRF-Vulnerability-CVE-2025Vendor Advisory
- https://www.axigen.com/mail-server/download/Product
- https://github.com/osmancanvural/CVE-2025-68722ExploitVendor Advisory
FAQ
What is CVE-2025-68722?
CVE-2025-68722 is a vulnerability with a CVSS score of 8.8 (HIGH). Axigen Mail Server before 10.5.57 and 10.6.x before 10.6.26 contains a Cross-Site Request Forgery (CSRF) vulnerability in the WebAdmin interface through improper handling of the _s (breadcrumb) parame...
How severe is CVE-2025-68722?
CVE-2025-68722 has been rated HIGH with a CVSS base score of 8.8/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2025-68722?
Check the references section above for vendor advisories and patch information. Affected products include: Axigen Axigen Mail Server.