CVE-2025-30189 is a vulnerability in OX Dovecot Pro, a mail server component developed by Open-Xchange GmbH, that arises from improper preservation of consistency between independent representations of shared state when caching is enabled. Specifically, some passdb/userdb drivers incorrectly cache authentication data using the same cache key for all users, which causes the system to return cached credentials of one user for subsequent login attempts by different users. This flaw leads to a scenario where after one user logs in successfully, all following logins are authenticated as that same user, effectively allowing unauthorized access to user accounts without requiring credentials or interaction. The vulnerability has a CVSS 3.1 base score of 7.4, indicating high severity, with network attack vector, high attack complexity, no privileges required, and no user interaction needed. The impact is critical on confidentiality and integrity but does not affect availability. No public exploits are currently known, but the vulnerability is published and fixed versions are available. Mitigation includes upgrading to the fixed version or disabling caching either globally or specifically for the affected passdb/userdb drivers to prevent incorrect caching behavior.

For European organizations, this vulnerability poses a significant risk to the confidentiality and integrity of email communications and user data managed by OX Dovecot Pro. Unauthorized access to user accounts can lead to data breaches, exposure of sensitive information, and potential lateral movement within networks. Organizations relying on OX Dovecot Pro for email services, especially those in sectors handling sensitive data such as finance, healthcare, and government, could face regulatory penalties under GDPR if user data is compromised. The vulnerability's network-exploitable nature means attackers can attempt exploitation remotely without authentication, increasing the threat surface. The absence of public exploits currently reduces immediate risk, but the high severity score and ease of exploitation once a proof of concept is developed necessitate urgent remediation. Disabling caching may impact performance but is a necessary trade-off until patches are applied.

1. Immediately upgrade OX Dovecot Pro to the fixed version provided by Open-Xchange GmbH to resolve the caching issue. 2. If upgrading is not immediately possible, disable caching globally or specifically for the affected passdb/userdb drivers to prevent the reuse of cached credentials across users. 3. Conduct thorough audits of user login logs to detect any anomalous authentication patterns indicative of exploitation. 4. Implement network-level access controls to restrict access to mail servers only to trusted IP ranges to reduce exposure. 5. Monitor vendor advisories for any updates or exploit releases related to this vulnerability. 6. Educate system administrators on the importance of verifying caching configurations and applying patches promptly. 7. Consider deploying additional authentication mechanisms such as multi-factor authentication to mitigate risks from compromised sessions.