CVE-2025-50340 is an Insecure Direct Object Reference (IDOR) vulnerability identified in SOGo Webmail versions up to 5.6.0. This vulnerability allows an authenticated user to manipulate a user-controlled identifier in the email-sending request to send emails on behalf of other users without proper authorization checks. Specifically, the server does not verify whether the authenticated user is permitted to use the specified sender identity, enabling unauthorized message delivery as another user. This flaw can be exploited to impersonate legitimate users within the system, facilitating phishing attacks, unauthorized communication, and potential social engineering campaigns. The vulnerability is categorized under CWE-639, which relates to authorization bypass through improper validation of user-supplied input. It is important to note that the supplier disputes the vulnerability's impact, arguing that sender spoofing prevention should be enforced at the SMTP server level rather than within the client application like SOGo. The CVSS v3.1 base score is 4.3 (medium severity), reflecting that the attack vector is network-based, requires low complexity, and privileges (authenticated user) but does not impact confidentiality or availability, only integrity. No known exploits are currently reported in the wild, and no patches have been linked yet. This vulnerability highlights a design weakness in the SOGo Webmail client’s authorization logic for sender identity verification during email dispatch.

For European organizations using SOGo Webmail, this vulnerability poses a risk primarily to the integrity of email communications. Attackers with valid user credentials could impersonate other users within the same organization, potentially sending fraudulent emails that appear legitimate. This can facilitate internal phishing campaigns, spread misinformation, or conduct social engineering attacks targeting employees or external partners. The unauthorized use of sender identities undermines trust in organizational communications and could lead to data leakage if sensitive information is requested or disclosed via these spoofed emails. While confidentiality and availability are not directly impacted, the reputational damage and operational disruption caused by successful impersonation attacks can be significant. Organizations in regulated sectors such as finance, healthcare, and government may face compliance risks if such spoofing leads to data breaches or fraud. The medium severity rating suggests that while exploitation requires authenticated access, the potential for lateral movement and escalation within the organization remains a concern.

To mitigate this vulnerability, European organizations should implement multi-layered controls beyond relying solely on the SOGo Webmail client. First, enforce strict SMTP server-side sender verification policies such as SPF, DKIM, and DMARC to detect and block unauthorized sender addresses, as recommended by the supplier. Additionally, implement role-based access controls and restrict user permissions within SOGo to minimize the number of users who can send emails on behalf of others. Regularly audit user activities and monitor email logs for anomalous sending patterns indicative of impersonation attempts. Organizations should also consider deploying email security gateways with advanced anti-spoofing and anomaly detection capabilities. Promptly update SOGo Webmail to the latest version once a patch addressing this vulnerability is released. In the interim, educate users about the risks of phishing and impersonation attacks and encourage verification of unexpected or suspicious emails, especially those requesting sensitive actions or information.