CVE-2025-68643 is a stored Cross-Site Scripting (XSS) vulnerability affecting Axigen Mail Server versions prior to 10.5.57. The vulnerability is rooted in the handling of the timeFormat account preference parameter, which is not properly sanitized before being inserted into the Document Object Model (DOM) of the WebMail interface. An attacker can exploit this vulnerability through a multi-stage process. Initially, the attacker must inject a malicious JavaScript payload into the timeFormat preference. This injection can be achieved either by exploiting a separate vulnerability within the system or by leveraging compromised user credentials that allow modification of account preferences. Once the payload is stored, it remains dormant until the targeted user logs into the WebMail interface. At that point, the unsanitized timeFormat value is loaded and inserted into the DOM, causing the malicious script to execute in the context of the victim's browser session. This stored XSS can lead to unauthorized actions such as session hijacking, theft of sensitive information, or manipulation of the WebMail interface. The vulnerability requires network access, low attack complexity, and privileges to modify account preferences, with user interaction necessary to trigger the payload. The CVSS 3.1 base score is 5.4, indicating medium severity, with impacts on confidentiality and integrity but no direct availability impact. No patches are currently linked, and no known exploits have been reported in the wild, suggesting limited active exploitation at this time.

For European organizations, this vulnerability poses a moderate risk primarily to confidentiality and integrity of email communications and user sessions. If exploited, attackers could hijack user sessions, steal sensitive email content, or perform unauthorized actions within the WebMail interface, potentially leading to data breaches or further lateral movement within the network. Organizations relying on Axigen Mail Server for critical communications may face reputational damage and compliance issues, especially under GDPR regulations concerning personal data protection. The requirement for attacker privileges or prior compromise reduces the likelihood of widespread exploitation but does not eliminate risk, particularly in environments with weak credential management or insufficient access controls. The absence of known exploits in the wild provides a window for proactive mitigation. However, the multi-stage nature of the attack means that attackers who have already gained some foothold could leverage this vulnerability to escalate their impact.

European organizations should immediately verify their Axigen Mail Server versions and upgrade to 10.5.57 or later once patches are available. In the absence of an official patch, administrators should restrict access to account preference modification interfaces and enforce strong authentication mechanisms, including multi-factor authentication, to prevent unauthorized changes. Regularly audit account preferences for suspicious entries, particularly the timeFormat parameter. Implement Content Security Policy (CSP) headers in the WebMail interface to limit the execution of unauthorized scripts. Network segmentation and monitoring for unusual WebMail activity can help detect exploitation attempts. Additionally, educate users about phishing and credential security to reduce the risk of initial compromise. Organizations should also monitor threat intelligence feeds for any emerging exploits targeting this vulnerability and prepare incident response plans accordingly.