CVE-2025-68721

HIGH

Axigen Mail Server <10.5.57 - Privilege Escalation

Title source: llm

Description

Axigen Mail Server before 10.5.57 contains an improper access control vulnerability in the WebAdmin interface. A delegated admin account with zero permissions can bypass access control checks and gain unauthorized access to the SSL Certificates management endpoint (page=sslcerts). This allows the attacker to view, download, upload, and delete SSL certificate files, despite lacking the necessary privileges to access the Security & Filtering section.

Exploits (2)

github WRITEUP 10 stars

by XiaomingX · pythonpoc

https://github.com/XiaomingX/data-cve-poc-py-v1/tree/main/2025/CVE-2025-68721

View Code ZIP pw:eip

nomisec WRITEUP 1 stars

by osmancanvural · poc

https://github.com/osmancanvural/CVE-2025-68721

View Code ZIP pw:eip

References (3)

[Vendor Advisory] https://www.axigen.com/knowledgebase/Axigen-WebAdmin-Improper-Access-Control-Vulnerability-CVE-2025-68721-_406.html

[Product] https://www.axigen.com/mail-server/download/

[Various Sources] https://github.com/osmancanvural/CVE-2025-68721

Scores

CVSS v3 8.1

EPSS 0.0001

EPSS Percentile 1.7%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N

Details

CWE

CWE-284

Status published

Products (1)

axigen/axigen_mail_server 10.3.0 - 10.5.57

Published Feb 05, 2026

Tracked Since Feb 18, 2026