Full Report
An Active! Mail zero-day remote code execution vulnerability is actively exploited in attacks on large organizations in Japan. [...]
Analysis Summary
# Vulnerability: Active! Mail Critical Remote Code Execution
## CVE Details
- CVE ID: CVE-2025-42599
- CVSS Score: 9.8 (Critical)
- CWE: Stack-based Buffer Overflow (Implied by technical description)
## Affected Systems
- Products: Active! Mail (On-premise mail system)
- Versions: All versions up to and including 'BuildInfo: 6.60.05008561'
- Configurations: All supported OS platforms.
## Vulnerability Description
The vulnerability is a stack-based buffer overflow vulnerability. A remotely located third party can trigger this flaw by sending a maliciously crafted HTTP request. Successful exploitation can lead to arbitrary code execution (RCE) or a Denial-of-Service (DoS) condition against the affected Active! Mail server.
## Exploitation
- Status: Exploited in the wild (Confirmed by Japan's CERT)
- Complexity: Likely Low (Due to confirmed exploitation and critical score)
- Attack Vector: Network (Remote third party sending crafted requests)
## Impact
- Confidentiality: High (Likely due to RCE leading to server compromise)
- Integrity: High (Likely due to RCE leading to system modification)
- Availability: High (DoS condition possible)
## Remediation
### Patches
- **Recommended Update:** Active! Mail 6 BuildInfo: 6.60.06008562 or later.
### Workarounds
For users unable to apply the security update immediately, Japan's CERT proposed the following mitigation steps:
1. Configure the Web Application Firewall (WAF) to enable HTTP request body inspection.
2. Configure the WAF to block `multipart/form-data` headers if their size exceeds a certain threshold.
## Detection
- **Indicators of Compromise:** Monitoring for successfully exploited systems reports from Japanese organizations (Kagoya Japan, WADAX). Indicators would likely involve unusual process execution or network connections originating from the mail server process.
- **Detection Methods and Tools:** Deploying or tuning a WAF to monitor and flag large or suspicious `multipart/form-data` requests targeting the Active! web interface.
## References
- [Qualitia Security Bulletin](https://www.qualitia.com/jp/news/2025/04/18_1030.html)
- [Japan CERT Advisory (JVN22348866)](https://jvn.jp/en/jp/JVN22348866/index.html)
- [Japan CERT Mitigation Steps](https://www.jpcert.or.jp/at/2025/at250010.html)