CVE-2025-29557 is a security vulnerability identified in ExaGrid EX10 backup storage appliances running firmware versions 6.3 through 7.0.1.P08. The flaw resides in the MailConfiguration API endpoint, which is responsible for managing SMTP settings used for email notifications. Specifically, the vulnerability is due to incorrect access control that allows users with operator-level privileges—who typically have limited administrative capabilities—to issue HTTP requests that retrieve SMTP credentials, including plaintext passwords. This means that an attacker or insider with operator access can extract sensitive authentication information without requiring higher administrative privileges or additional user interaction. The exposure of SMTP credentials can lead to further compromise, such as unauthorized email sending, phishing campaigns, or lateral movement within the network. Although there are no known exploits in the wild at the time of publication, the vulnerability presents a significant risk given the sensitive nature of the credentials involved and the ease of exploitation through standard API calls. The absence of a CVSS score indicates that the vulnerability has not yet been fully assessed for severity, but the technical details suggest a critical issue in access control mechanisms within a critical infrastructure component.

For European organizations, the impact of this vulnerability can be substantial, especially for those relying on ExaGrid EX10 appliances for backup and disaster recovery. Compromise of SMTP credentials could allow attackers to send spoofed or malicious emails from trusted internal systems, facilitating phishing attacks or delivering malware payloads. This can lead to data breaches, reputational damage, and regulatory non-compliance, particularly under GDPR where unauthorized data access or leakage must be reported. Additionally, attackers gaining foothold through operator accounts could escalate privileges or move laterally within networks, threatening the integrity and availability of backup systems. Disruption or compromise of backup infrastructure can severely affect business continuity and recovery capabilities. Given that backup appliances are often considered highly trusted and less frequently monitored, this vulnerability could be exploited stealthily, increasing the risk of prolonged undetected compromise.

European organizations using ExaGrid EX10 appliances should immediately verify their firmware versions and plan to upgrade to a patched version once available from the vendor. Until a patch is released, it is critical to restrict operator-level access strictly to trusted personnel and monitor API usage logs for unusual requests to the MailConfiguration endpoint. Network segmentation should be enforced to limit access to backup appliances only from authorized management systems. Additionally, organizations should consider rotating SMTP credentials used by the appliances and implement multi-factor authentication for operator accounts if supported. Regular audits of access controls and credential storage practices on backup devices are recommended. Finally, organizations should prepare incident response plans to quickly address any signs of credential compromise or unauthorized email activity stemming from this vulnerability.