CVE-2024-24760 is a high-severity vulnerability affecting mailcow-dockerized versions prior to 2024-01c. mailcow is a popular dockerized email server suite that runs multiple containers interconnected via a bridged Docker network named br-mailcow. The vulnerability arises from insufficient network isolation controls within the Docker bridge network configuration. Specifically, attackers located on the same subnet as the mailcow deployment can bypass the intended localhost (127.0.0.1) binding restrictions on certain container ports. This allows them to connect to exposed service ports inside Docker containers that should only be accessible locally. The affected ports include 3306 (commonly MySQL), 6379 (Redis), 8983 (Solr), and 12345 (a custom or less common service port). The root cause is that Docker’s network filtering rules did not adequately block packets coming from interfaces other than br-mailcow targeting these ports, enabling lateral movement or unauthorized access within the subnet. The vendor addressed this by adding iptables/nftables rules that drop packets destined for these ports if the input interface is not br-mailcow but the output interface is br-mailcow, effectively enforcing network segmentation and preventing external subnet hosts from accessing these internal container services. The CVSS 3.1 base score is 8.8, reflecting high impact on confidentiality, integrity, and availability, with network attack vector, low attack complexity, and requiring only low privileges (PR:L) but no user interaction. No known exploits are reported in the wild yet. This vulnerability is classified under CWE-610, which relates to externally controlled references to resources in another sphere, highlighting the risk of unauthorized cross-network resource access due to improper isolation.

For European organizations deploying mailcow-dockerized for email services, this vulnerability poses a significant risk of unauthorized access to critical backend services such as databases (MySQL), caching layers (Redis), and search engines (Solr) that are integral to mailcow’s operation. Exploitation could lead to data breaches exposing sensitive email data, user credentials, or internal configuration information, compromising confidentiality. Attackers could also manipulate or disrupt these services, impacting integrity and availability of the email platform, potentially causing service outages or data corruption. Given mailcow’s popularity among small to medium enterprises and hosting providers in Europe, the vulnerability could facilitate lateral movement within corporate or hosting provider networks, especially in environments where subnet segmentation is weak. This could escalate to broader compromise of organizational IT infrastructure. The lack of required user interaction and the ability to exploit remotely from the same subnet increases the threat level. Although no public exploits are known, the high CVSS score and the critical nature of the affected services warrant urgent attention to prevent potential targeted attacks or insider threats.

European organizations should immediately upgrade mailcow-dockerized to version 2024-01c or later, where the vendor has implemented iptables/nftables rules to enforce strict network segmentation. Until upgrades are applied, administrators should manually verify and enforce firewall rules on the host to block inbound traffic to ports 3306, 6379, 8983, and 12345 from any interface other than br-mailcow. Network segmentation should be audited to ensure that only trusted hosts have access to the mailcow subnet. Monitoring network traffic for anomalous connections to these ports can help detect exploitation attempts. Additionally, organizations should review Docker daemon and container network configurations to ensure no unintended port exposures exist. Employing host-based intrusion detection systems (HIDS) and container security tools to monitor for suspicious activity targeting these services is recommended. Regular backups of mailcow data and configurations should be maintained to enable recovery in case of compromise. Finally, restricting administrative access to the mailcow environment and enforcing strong authentication and authorization controls will reduce the risk of privilege escalation and lateral movement.