CVE-2025-25198
published 2025-02-12CVE-2025-25198: mailcow: dockerized is an open source groupware/email suite based on docker. Prior to version 2025-01a, a vulnerability in mailcow's password reset…
PriorityP258high8.8CVSS 3.1
AVNACLPRNUIRSUCHIHAH
EXPLOIT
EPSS
1.05%
60.1th percentile
mailcow: dockerized is an open source groupware/email suite based on docker. Prior to version 2025-01a, a vulnerability in mailcow's password reset functionality allows an attacker to manipulate the `Host HTTP` header to generate a password reset link pointing to an attacker-controlled domain. This can lead to account takeover if a user clicks the poisoned link. Version 2025-01a contains a patch. As a workaround, deactivate the password reset functionality by clearing `Notification email sender` and `Notification email subject` under System -> Configuration -> Options -> Password Settings.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| mailcow | mailcow | < 2025-01a | 2025-01a |
| mailcow | mailcow-dockerized | < 2025-01a | 2025-01a |
Detection & IOCsextracted from sources · hover to see the quote
commandopenssl req -x509 -newkey rsa:2048 -keyout <key_file> -out <cert_file> -days 365 -nodes -subj /CN=localhost↗
- →Detect Host header poisoning in password reset requests: alert on HTTP POST requests to /reset-password where the Host header does not match the server's configured canonical hostname. ↗
- →Monitor for POST requests to /reset-password containing a Host header value that differs from the legitimate mailcow server domain, which indicates an active Host Header Injection attempt. ↗
- →Look for password reset token patterns (UUID-like hex strings) appearing in HTTP responses or redirect Location headers pointing to non-canonical domains, indicating a poisoned reset link was generated. ↗
- →Inspect inbound requests to /reset-password for the pw_reset_request parameter combined with a spoofed Host header as the exploit POSTs these together to trigger link generation to the attacker host. ↗
- →The exploit uses a self-signed HTTPS listener on the attacker-controlled domain to capture the poisoned reset token; monitor for outbound connections from the mailcow server to unexpected external HTTPS hosts shortly after a password reset request. ↗
- ·As a workaround prior to patching, disable the password reset functionality entirely by clearing the notification email sender and subject fields. ↗
- ·The vulnerability is fixed in mailcow version 2025-01a; instances running any prior version are affected. ↗
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No advisories linked to this vulnerability.
No detection rules found.
No writeups or analysis indexed.
2025-02-12
Published