CVE-2025-50340 is an Insecure Direct Object Reference (IDOR) vulnerability identified in SOGo Webmail versions up to 5.6.0. This vulnerability arises because the application fails to properly verify whether an authenticated user is authorized to use the sender identity specified in an email-sending request. Specifically, the attacker can manipulate a user-controlled identifier parameter that designates the sender of an email. Due to insufficient authorization checks on the server side, an authenticated user can craft requests that specify another user's identity as the sender, thereby sending emails on behalf of that user without their consent. This flaw enables impersonation attacks within the email system, potentially facilitating phishing campaigns, unauthorized communication, and social engineering attacks. The vulnerability exploits a fundamental access control weakness where the server trusts user-supplied identifiers without validating permissions. Although exploitation requires authentication, the impact is significant because it undermines the integrity and trustworthiness of email communications within an organization. The vulnerability does not appear to have publicly known exploits in the wild yet, and no CVSS score has been assigned. However, the risk remains high due to the nature of email as a critical communication vector and the potential for lateral movement or data exfiltration through phishing or impersonation.

For European organizations, this vulnerability poses a substantial risk to internal and external communications. SOGo Webmail is used by various enterprises and institutions, including government bodies, educational institutions, and private companies. Exploitation could lead to unauthorized emails appearing to originate from trusted internal users, damaging organizational reputation and enabling targeted phishing attacks that could compromise sensitive data or credentials. The impersonation could also facilitate fraud, misinformation, or unauthorized instructions within business processes. Given the strict data protection regulations in Europe, such as GDPR, unauthorized disclosure or manipulation of communications could result in regulatory penalties and loss of customer trust. Moreover, sectors with high reliance on secure email communications, such as finance, healthcare, and public administration, would be particularly vulnerable to operational disruption and reputational harm.

Organizations should immediately verify if they are running vulnerable versions of SOGo Webmail (up to 5.6.0) and prioritize upgrading to a patched version once available. In the absence of an official patch, administrators should implement strict access controls and monitor email sending logs for anomalous sender identities. Additional mitigations include configuring email gateway filters to detect and block spoofed internal sender addresses, enforcing multi-factor authentication to reduce the risk of compromised accounts, and educating users about the risk of phishing and impersonation. Network segmentation and limiting administrative privileges can reduce the attack surface. Organizations should also consider deploying Data Loss Prevention (DLP) solutions that can identify unauthorized email sending patterns. Finally, regularly auditing and reviewing email server configurations to ensure proper authorization checks are enforced is critical.