CVE-2025-30189 affects Open-Xchange GmbH's OX Dovecot Pro mail server software and arises from improper preservation of consistency between independent representations of shared state when caching is enabled. Specifically, some passdb/userdb drivers incorrectly cache authentication data by using a single cache key for multiple users. This flaw causes the cache to return the same user information for different login attempts after the first cached login, effectively allowing subsequent logins to be recognized as the same user regardless of the actual credentials provided. This vulnerability compromises the authentication mechanism, leading to unauthorized access to user accounts and potentially exposing sensitive email data. The issue does not require prior authentication or user interaction but has a high attack complexity due to the need to exploit the caching mechanism. The vulnerability impacts confidentiality and integrity but does not affect availability. No public exploits have been reported yet. The recommended remediation is to upgrade to a fixed version of OX Dovecot Pro or disable caching either globally or specifically for the affected passdb/userdb drivers to prevent incorrect caching behavior.

The vulnerability allows attackers to bypass authentication controls by exploiting the caching mechanism, leading to unauthorized access to other users' accounts. This can result in significant confidentiality breaches, exposing sensitive emails and user data. Integrity is also compromised as attackers can impersonate other users, potentially sending or modifying emails under false identities. Although availability is not directly impacted, the trustworthiness of the mail system is severely undermined. Organizations relying on OX Dovecot Pro with caching enabled face risks of data leakage, compliance violations, and reputational damage. The scope includes all users of affected versions with caching enabled, potentially affecting large user bases in enterprise and service provider environments.

Organizations should immediately assess their use of OX Dovecot Pro and determine if caching is enabled, particularly for passdb/userdb drivers. The primary mitigation is to upgrade to the vendor-provided fixed version of OX Dovecot Pro once available. Until then, disabling caching globally or specifically for the impacted passdb/userdb drivers is critical to prevent exploitation. Additionally, organizations should monitor authentication logs for unusual login patterns indicating potential exploitation. Implementing strict access controls and multi-factor authentication can help reduce risk exposure. Regularly reviewing and updating software configurations to avoid insecure caching practices is recommended. Finally, organizations should prepare incident response plans to address potential unauthorized access incidents stemming from this vulnerability.