cbcvebase.
CVE-2025-25198
published 2025-02-12

CVE-2025-25198: mailcow: dockerized is an open source groupware/email suite based on docker. Prior to version 2025-01a, a vulnerability in mailcow's password reset…

PriorityP258high8.8CVSS 3.1
AVNACLPRNUIRSUCHIHAH
EXPLOIT
EPSS
1.05%
60.1th percentile
mailcow: dockerized is an open source groupware/email suite based on docker. Prior to version 2025-01a, a vulnerability in mailcow's password reset functionality allows an attacker to manipulate the `Host HTTP` header to generate a password reset link pointing to an attacker-controlled domain. This can lead to account takeover if a user clicks the poisoned link. Version 2025-01a contains a patch. As a workaround, deactivate the password reset functionality by clearing `Notification email sender` and `Notification email subject` under System -> Configuration -> Options -> Password Settings.

Affected

2 ranges
VendorProductVersion rangeFixed in
mailcowmailcow< 2025-01a2025-01a
mailcowmailcow-dockerized< 2025-01a2025-01a

Detection & IOCsextracted from sources · hover to see the quote

url/reset-password
path/reset-password
commandopenssl req -x509 -newkey rsa:2048 -keyout <key_file> -out <cert_file> -days 365 -nodes -subj /CN=localhost
  • Detect Host header poisoning in password reset requests: alert on HTTP POST requests to /reset-password where the Host header does not match the server's configured canonical hostname.
  • Monitor for POST requests to /reset-password containing a Host header value that differs from the legitimate mailcow server domain, which indicates an active Host Header Injection attempt.
  • Look for password reset token patterns (UUID-like hex strings) appearing in HTTP responses or redirect Location headers pointing to non-canonical domains, indicating a poisoned reset link was generated.
  • Inspect inbound requests to /reset-password for the pw_reset_request parameter combined with a spoofed Host header as the exploit POSTs these together to trigger link generation to the attacker host.
  • The exploit uses a self-signed HTTPS listener on the attacker-controlled domain to capture the poisoned reset token; monitor for outbound connections from the mailcow server to unexpected external HTTPS hosts shortly after a password reset request.
  • ·As a workaround prior to patching, disable the password reset functionality entirely by clearing the notification email sender and subject fields.
  • ·The vulnerability is fixed in mailcow version 2025-01a; instances running any prior version are affected.
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.