CVE-2025-68722HIGH 8.8EPSS p15.3%

CVE-2025-68722CVE-2025-68722

Description

Axigen Mail Server before 10.5.57 and 10.6.x before 10.6.26 contains a Cross-Site Request Forgery (CSRF) vulnerability in the WebAdmin interface through improper handling of the _s (breadcrumb) parameter. The application accepts state-changing requests via the GET method and automatically processes base64-encoded commands queued in the _s parameter immediately after administrator authentication. Attackers can craft malicious URLs that, when clicked by administrators, execute arbitrary administrative actions upon login without further user interaction, including creating rogue administrator accounts or modifying critical server configurations.

Scoring

CVSS 3.18.8 (HIGH)
VectorCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
EPSS0.24% probability of exploitation · percentile 15.3% · 2026-06-18T12:00:27Z
Published2026-02-05
Last modified2026-02-24

Underlying weaknesses· 1

CWE-352

References

  1. https://www.axigen.com/knowledgebase/Axigen-WebAdmin-CSRF-Vulnerability-CVE-2025-68722-_407.html
  2. https://www.axigen.com/mail-server/download/
  3. https://github.com/osmancanvural/CVE-2025-68722

1

TypeTargetConfidenceTier
WeaknessCross-Site Request Forgery (CSRF)cwe-3520%live

Related by meaning· 6

Nearest entities by semantic similarity across the cs-graph corpus.

CVE
CVE-2025-68723
CVE
CVE-2025-68721
CVE
CVE-2025-28062
CVE
CVE-2025-32354
CVE
CVE-2025-36728
CVE
CVE-2025-65472
Sourced from NVD + FIRST.org EPSS. Curated for EU compliance use cases by Adam Lundqvist, Founder at SQUR.