Skip to main content

CVE-2025-26842: n/a in n/a

High
VulnerabilityCVE-2025-26842cvecve-2025-26842
Published: Thu May 08 2025 (05/08/2025, 00:00:00 UTC)
Source: CVE
Vendor/Project: n/a
Product: n/a

Description

An issue was discovered in Znuny through 7.1.3. If access to a ticket is not given, the content of S/MIME encrypted e-mail messages is visible to users with access to the CommunicationLog.

AI-Powered Analysis

AILast updated: 07/05/2025, 04:43:22 UTC

Technical Analysis

CVE-2025-26842 is a high-severity vulnerability affecting Znuny, an open-source ticketing system used for customer support and communication management. The vulnerability arises from improper access control in the handling of S/MIME encrypted email messages within the CommunicationLog feature. Specifically, users who do not have authorized access to a particular ticket can still view the content of S/MIME encrypted emails associated with that ticket if they have access to the CommunicationLog. This indicates a failure in enforcing authorization checks on sensitive encrypted message content, allowing unauthorized disclosure of confidential information. The vulnerability is classified under CWE-863 (Incorrect Authorization), highlighting that the system does not correctly restrict access to sensitive data based on user permissions. The CVSS v3.1 base score is 7.5, reflecting a high severity due to the vulnerability being remotely exploitable without authentication (AV:N/AC:L/PR:N/UI:N), and resulting in a complete confidentiality breach (C:H) without impacting integrity or availability. No patches or vendor-specific product versions are detailed, but the affected Znuny versions are up to 7.1.3. The vulnerability was published in May 2025, with no known exploits in the wild at the time of reporting.

Potential Impact

For European organizations using Znuny for ticketing and customer communication, this vulnerability poses a significant risk to confidentiality. Unauthorized users with access to the CommunicationLog can access sensitive encrypted email content, potentially exposing private customer data, internal communications, or other confidential information protected by S/MIME encryption. This could lead to data breaches violating GDPR requirements, resulting in regulatory penalties and reputational damage. The exposure of encrypted email content undermines the trust in secure communication channels and may facilitate further social engineering or targeted attacks. Since Znuny is used across various sectors including government, finance, and healthcare in Europe, the impact could be widespread, especially where sensitive personal or business data is handled. The lack of required authentication for exploitation increases the risk of insider threats or lateral movement attacks within organizations. Although no integrity or availability impacts are noted, the confidentiality breach alone is critical given the nature of the data involved.

Mitigation Recommendations

European organizations should immediately review access controls on the CommunicationLog feature within Znuny and restrict access strictly to authorized personnel. Implement role-based access control (RBAC) policies ensuring that only users with explicit ticket access can view associated communications. Until an official patch is released, consider disabling or limiting the use of CommunicationLog for S/MIME encrypted messages. Conduct audits to identify any unauthorized access to sensitive ticket communications. Enhance monitoring and alerting for unusual access patterns to ticket logs. Organizations should also educate users about the risk of exposing encrypted message content through improper access controls. Once a vendor patch or update becomes available, prioritize timely deployment. Additionally, consider encrypting sensitive ticket data at rest and in transit with strong cryptographic controls and segregate communication logs from general user access. Implement network segmentation to limit exposure of Znuny systems to trusted users only.

Need more detailed analysis?Get Pro

Technical Details

Data Version
5.1
Assigner Short Name
mitre
Date Reserved
2025-02-15T00:00:00.000Z
Cisa Enriched
true
Cvss Version
3.1
State
PUBLISHED

Threat ID: 682d9818c4522896dcbd8160

Added to database: 5/21/2025, 9:08:40 AM

Last enriched: 7/5/2025, 4:43:22 AM

Last updated: 8/10/2025, 10:43:30 PM

Views: 9

Actions

PRO

Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.

Please log in to the Console to use AI analysis features.

Need enhanced features?

Contact root@offseq.com for Pro access with improved analysis and higher rate limits.

Latest Threats