CVE-2022-31138

HIGH

mailcow <2022-06a - Privilege Escalation

Title source: llm

Exploitation Summary

EIP tracks 1 public exploit for CVE-2022-31138. PoCs published by ly1g3.

AI-analyzed exploit summary This PoC demonstrates a code injection vulnerability in Mailcow's Sync Job feature, allowing RCE via Perl code injection in imapsync's regex fields. It also includes privilege escalation to Domain Admin by leveraging database access.

Description

mailcow is a mailserver suite. Prior to mailcow-dockerized version 2022-06a, an extended privilege vulnerability can be exploited by manipulating the custom parameters regexmess, skipmess, regexflag, delete2foldersonly, delete2foldersbutnot, regextrans2, pipemess, or maxlinelengthcmd to execute arbitrary code. Users should update their mailcow instances with the `update.sh` script in the mailcow root directory to 2022-06a or newer to receive a patch for this issue. As a temporary workaround, the Syncjob ACL can be removed from all mailbox users, preventing changes to those settings.

Exploits (1)

nomisec WORKING POC 2 stars

by ly1g3 · poc

https://github.com/ly1g3/Mailcow-CVE-2022-31138

View Code ZIP pw:eip

This PoC demonstrates a code injection vulnerability in Mailcow's Sync Job feature, allowing RCE via Perl code injection in imapsync's regex fields. It also includes privilege escalation to Domain Admin by leveraging database access.

Classification

Working Poc 95%

Attack Type

Rce

Complexity

Moderate

Reliability

Reliable

Target: Mailcow (versions 2019 - 2022-06a)

Auth required

Prerequisites: Valid user credentials · Access to Sync Jobs feature

MITRE ATT&CK

T1059 - Command and Scripting Interpreter T1068 - Exploitation for Privilege Escalation

devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (4)

Core 4

Core References

Mitigation, Third Party Advisory x_refsource_confirm

https://github.com/mailcow/mailcow-dockerized/security/advisories/GHSA-vx9w-h33p-5vhc

Patch, Third Party Advisory x_refsource_misc

https://github.com/mailcow/mailcow-dockerized/commit/d373164e13a14e058f82c9f1918a5612f375a9f9

View Patch ZIP pw:eip

Exploit, Third Party Advisory x_refsource_misc

https://github.com/ly1g3/Mailcow-CVE-2022-31138

Release Notes, Third Party Advisory x_refsource_misc

https://github.com/mailcow/mailcow-dockerized/releases/tag/2022-06a

Scores

CVSS v3 8.8

EPSS 0.0234

EPSS Percentile 81.4%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment

Exploitation poc

Automatable no

Technical Impact total

Details

CWE

CWE-78

Status published

Products (1)

mailcow/mailcow\ < 2022-06a

Published Jul 11, 2022

Tracked Since Feb 18, 2026