CVE-2025-68722

Name of the Vulnerable Software and Affected Versions Axigen Mail Server versions prior to 10.5.57 Axigen Mail Server versions 10.6.0 through 10.6.25

Description The software contains a Cross-Site Request Forgery (CSRF) issue in the WebAdmin interface. This is due to improper handling of the s (breadcrumb) parameter. The application accepts state-changing requests via the GET method and automatically processes base64-encoded commands queued in the s parameter after administrator authentication. Attackers can create malicious URLs that, when clicked by administrators, execute arbitrary administrative actions upon login without further user interaction. These actions include creating rogue administrator accounts or modifying critical server configurations.

Recommendations Update Axigen Mail Server to version 10.5.57 or later. Update Axigen Mail Server to version 10.6.26 or later.