CVE-2025-48738 is a medium-severity vulnerability classified under CWE-770 (Allocation of Resources Without Limits or Throttling) affecting StrangeBee's TheHive versions 5.2.0 through 5.5.0 before their respective patched releases. The vulnerability arises from the password reset feature, which allows unauthenticated remote attackers to trigger an unlimited number of password reset emails. This lack of throttling or rate limiting enables attackers to flood targeted users' mailboxes with reset emails, potentially exhausting mailbox storage quotas. Additionally, the SMTP server responsible for sending these emails can become overloaded, leading to delays or failures in legitimate email delivery. The excessive outbound email traffic may also damage the SMTP server's reputation, increasing the risk of blacklisting by email providers and spam filters. The vulnerability does not require authentication or user interaction, making exploitation straightforward over the network. The affected versions include 5.2.0 before 5.2.16, 5.3.0 before 5.3.11, 5.4.0 before 5.4.10, and 5.5.0 before 5.5.1. No known exploits are currently reported in the wild, but the potential for denial-of-service conditions on mail infrastructure and reputational damage is significant. The CVSS 4.0 score of 6.9 reflects the medium severity, with network attack vector, no privileges or user interaction required, and limited impact on confidentiality and integrity but notable impact on availability and service reliability.

For European organizations using StrangeBee TheHive, this vulnerability can lead to operational disruptions and reputational harm. Mailbox storage exhaustion can prevent users from receiving critical communications, impacting incident response and security operations if TheHive is used for security incident management. Overloading the SMTP server can degrade email service quality, affecting broader organizational communication. The risk of SMTP server blacklisting can have longer-term consequences, causing legitimate emails to be blocked or marked as spam, which can disrupt business communications and incident notifications. Organizations relying on TheHive for security orchestration and response may experience delays or failures in their workflows, potentially increasing the window of exposure to other threats. The vulnerability also presents a risk of indirect denial-of-service on email infrastructure, which may affect other services relying on the same SMTP servers. Given the unauthenticated nature of the exploit, attackers can launch these attacks remotely without insider access, increasing the threat surface.

Organizations should immediately upgrade StrangeBee TheHive to the latest patched versions: 5.2.16 or later for 5.2.x, 5.3.11 or later for 5.3.x, 5.4.10 or later for 5.4.x, and 5.5.1 or later for 5.5.x. Until patches are applied, administrators should implement rate limiting or CAPTCHA challenges on the password reset endpoint to prevent automated abuse. Monitoring outbound SMTP traffic for unusual spikes in password reset emails can help detect exploitation attempts early. Configuring SMTP servers to enforce sending limits per user or per IP address can mitigate the impact of flooding. Additionally, organizations should review mailbox quotas and increase storage limits temporarily if feasible to reduce the risk of mailbox exhaustion. Implementing email reputation monitoring and promptly addressing any blacklisting issues with email providers is critical. Network-level controls such as web application firewalls (WAFs) can be configured to detect and block abnormal password reset request patterns. Finally, educating users about potential phishing or social engineering attempts related to password reset emails can reduce the risk of secondary attacks.