CVE-2025-53859 is a security vulnerability classified as an out-of-bounds read (CWE-125) affecting F5's NGINX Plus and NGINX Open Source when built with the ngx_mail_smtp_module. This vulnerability arises during the SMTP authentication process, specifically when the smtp_auth directive is configured with the method "none" and the authentication server returns the "Auth-Wait" response header. Under these conditions, an unauthenticated attacker can trigger an out-of-bounds read that causes the server to leak arbitrary bytes from its memory related to the SMTP authentication process. The vulnerability requires the attacker to perform preparatory actions against the target system to successfully extract leaked data, indicating a non-trivial exploitation process. The affected versions include NGINX Plus releases R30 through R34. The vulnerability does not impact versions that have reached End of Technical Support. The CVSS v3.1 base score is 3.7, indicating a low severity level, with an attack vector of network (AV:N), high attack complexity (AC:H), no privileges required (PR:N), no user interaction (UI:N), unchanged scope (S:U), and limited confidentiality impact (C:L) without integrity or availability impact. No known exploits are currently reported in the wild, and no patches have been linked yet. This vulnerability could potentially expose sensitive memory contents during SMTP authentication, which might include authentication tokens or other sensitive data, but the impact is limited by the specific configuration requirements and the complexity of exploitation.

For European organizations, the impact of CVE-2025-53859 is relatively limited but should not be dismissed. Organizations using NGINX Plus or NGINX Open Source with the ngx_mail_smtp_module configured with smtp_auth set to "none" and relying on SMTP authentication servers that return the "Auth-Wait" header are at risk of sensitive information leakage. This could lead to partial disclosure of authentication-related memory contents, potentially aiding attackers in further reconnaissance or targeted attacks. However, the low CVSS score and high attack complexity reduce the likelihood of widespread exploitation. The vulnerability does not affect integrity or availability, so direct disruption or data manipulation is unlikely. Still, in environments where SMTP authentication is critical for secure mail flow or internal communications, any leakage could undermine trust or confidentiality. European organizations in sectors with high email security requirements, such as finance, healthcare, and government, should be particularly attentive. The lack of known exploits in the wild suggests this is a low immediate threat but warrants proactive mitigation to prevent future exploitation.

To mitigate CVE-2025-53859, European organizations should first audit their NGINX Plus and NGINX Open Source deployments to identify if the ngx_mail_smtp_module is enabled and if the smtp_auth directive is configured with the "none" method. If this configuration is in use, consider changing the smtp_auth method to a more secure option that does not trigger the vulnerability, such as "plain" or "login," provided it aligns with organizational security policies. Additionally, verify the behavior of the SMTP authentication server to ensure it does not return the "Auth-Wait" response header, or configure it to avoid this header if possible. Organizations should monitor F5 and NGINX security advisories for patches addressing this vulnerability and apply them promptly once available. Network-level controls such as restricting access to SMTP services to trusted hosts and implementing strict firewall rules can reduce exposure. Logging and monitoring SMTP authentication attempts for unusual patterns may help detect exploitation attempts. Finally, consider isolating or segmenting mail services to limit the impact of any potential data leakage.