CVE-2025-25198
Published: 12 February 2025
Description
Adversaries may obtain and abuse credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion.
Security Summary
CVE-2025-25198 is a vulnerability in mailcow: dockerized, an open source groupware and email suite based on Docker, affecting versions prior to 2025-01a. It exists in the password reset functionality, where an attacker can manipulate the Host HTTP header to generate a password reset link pointing to an attacker-controlled domain. Classified as CWE-601 (URL Redirection to Untrusted Site), it carries a CVSS v3.1 base score of 7.1 (AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:H/A:N).
The attack requires no privileges and can be launched remotely over the network with low complexity, though it depends on user interaction. An unauthenticated attacker tricks a user into initiating a password reset, intercepts or crafts the request to alter the Host header, and delivers an email with a poisoned link. If the user clicks the link, the attacker achieves account takeover, enabling high integrity impact such as unauthorized access and control over the victim's email account.
The GitHub security advisory (GHSA-3mvx-qw4r-fcqf) confirms that version 2025-01a contains a patch. As a workaround, deactivate password reset by clearing the "Notification email sender" and "Notification email subject" fields under System -> Configuration -> Options -> Password Settings.
Details
- CWE(s)
Affected Products
MITRE ATT&CK Enterprise Techniques
Why these techniques?
The vulnerability in the public-facing mailcow application (password reset Host header manipulation) directly enables exploitation of the app for account takeover via poisoned reset links, mapping to T1190 and subsequent use of valid accounts (T1078).