CVE-2025-25198

HIGH

mailcow: dockerized <2025-01a - Info Disclosure

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 4 public exploits for CVE-2025-25198. PoCs published by alvarez, Groppoxx, adminlove520.

AI-analyzed exploit summary This exploit demonstrates Host Header Password Reset Poisoning in mailcow versions prior to 2025-01a. It sets up an HTTPS listener to capture password reset tokens sent to an attacker-controlled domain via Host header manipulation, enabling potential account takeover.

Description

mailcow: dockerized is an open source groupware/email suite based on docker. Prior to version 2025-01a, a vulnerability in mailcow's password reset functionality allows an attacker to manipulate the `Host HTTP` header to generate a password reset link pointing to an attacker-controlled domain. This can lead to account takeover if a user clicks the poisoned link. Version 2025-01a contains a patch. As a workaround, deactivate the password reset functionality by clearing `Notification email sender` and `Notification email subject` under System -> Configuration -> Options -> Password Settings.

Exploits (4)

exploitdb WORKING POC
by alvarez · textwebappsmultiple
https://www.exploit-db.com/exploits/52485

This exploit demonstrates Host Header Password Reset Poisoning in mailcow versions prior to 2025-01a. It sets up an HTTPS listener to capture password reset tokens sent to an attacker-controlled domain via Host header manipulation, enabling potential account takeover.

Classification
Working Poc 95%
Attack Type
Auth Bypass
Complexity
Moderate
Reliability
Reliable
Target: mailcow:dockerized < 2025-01a
No auth needed
Prerequisites: Python 3.8+ · httpx or requests library · Docker environment with vulnerable mailcow instance · network access to target
devstral-2 · analyzed May 11, 2026 Full analysis →
github WORKING POC 17 stars
by Groppoxx · pythonpoc
https://github.com/Groppoxx/CVE-2025-25198-PoC

This repository contains a functional proof-of-concept exploit for CVE-2025-25198, which involves Host header poisoning in Mailcow. The PoC automates the process of spinning up an HTTPS listener, handling session cookies and CSRF tokens, and triggering a password reset with a poisoned Host header to capture the reset link.

Classification
Working Poc 95%
Attack Type
Auth Bypass
Complexity
Moderate
Reliability
Reliable
Target: Mailcow (version not specified)
No auth needed
Prerequisites: Python 3.8+ · OpenSSL · Privileged port 443 access · Network reachability to the target
devstral-2 · analyzed Feb 19, 2026 Full analysis →
github WORKING POC 2 stars
by adminlove520 · pythonpoc
https://github.com/adminlove520/CVE-Poc_All_in_One/tree/main/2025/CVE-2025-25198

The repository contains functional exploit code for multiple CVEs, including authentication bypass vulnerabilities in TOTOLINK devices and a scanner for Fortinet SSL VPN (CVE-2024-21762). The PoCs demonstrate the vulnerabilities with clear technical details and functional code.

Classification
Working Poc 90%
Attack Type
Auth Bypass
Complexity
Trivial
Reliability
Reliable
Target: TOTOLINK LR350, TOTOLINK T6, Fortinet SSL VPN
No auth needed
Prerequisites: network access to the target device
devstral-2 · analyzed Feb 27, 2026 Full analysis →
github WORKING POC
by enzocipher · gopoc
https://github.com/enzocipher/CVE-2025-25198

This repository contains a functional exploit for CVE-2025-25198, which manipulates the Host HTTP header in mailcow's password reset functionality to generate a password reset link pointing to an attacker-controlled domain. The exploit includes a Go-based HTTP server to capture the password reset token and a script to send the malicious request.

Classification
Working Poc 95%
Attack Type
Auth Bypass
Complexity
Moderate
Reliability
Reliable
Target: mailcow: dockerized (versions prior to 2025-01a)
No auth needed
Prerequisites: Go 1.16 or higher · Access to the target mailcow instance
devstral-2 · analyzed Feb 19, 2026 Full analysis →

References (1)

Core 1

Scores

CVSS v3 7.1
EPSS 0.0105
EPSS Percentile 59.9%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:H/A:N

CISA SSVC

Vulnrichment
Exploitation none
Automatable no
Technical Impact partial

Details

CWE
CWE-601
Status published
Products (1)
mailcow/mailcow\ < 2025-01a
Published Feb 12, 2025
Tracked Since Feb 18, 2026