CVE-2025-68723 is a critical stored Cross-Site Scripting (XSS) vulnerability identified in the Axigen Mail Server's WebAdmin interface versions before 10.5.57. The vulnerability manifests in three distinct input vectors within the administrative web interface: (1) the log file name parameter on the Local Services Log page, (2) the certificate file content displayed in the SSL Certificates View Usage feature, and (3) the certificate file name parameter within the WebMail Listeners SSL settings. These parameters insufficiently sanitize user-supplied input, allowing attackers to inject malicious JavaScript payloads that are persistently stored and later executed in the browsers of administrators who access the affected pages. This stored XSS enables attackers with low privileges to escalate their access by coercing higher-privileged administrators into executing unauthorized actions, effectively bypassing intended privilege boundaries. The vulnerability impacts confidentiality, integrity, and availability by potentially exposing sensitive administrative functions and data, altering configurations, or disrupting mail server operations. Exploitation requires an attacker to have some level of access to the WebAdmin interface (low privilege) and to trick or wait for a high-privileged admin to visit the compromised pages, thus involving user interaction. The CVSS v3.1 base score is 9.0, reflecting network attack vector, low attack complexity, low privileges required, user interaction needed, and a scope change with high impact on confidentiality, integrity, and availability. Although no known exploits have been reported in the wild, the critical severity demands immediate attention. The vulnerability is classified under CWE-79 (Improper Neutralization of Input During Web Page Generation). No official patches or updates are linked yet, but upgrading to version 10.5.57 or later is recommended once available. Organizations should also implement rigorous input validation, restrict WebAdmin access to trusted administrators, and monitor for suspicious activity to mitigate exploitation risks.

The impact of CVE-2025-68723 is significant for organizations using Axigen Mail Server, particularly those relying on its WebAdmin interface for mail server management. Successful exploitation can lead to privilege escalation, where attackers with low-level access inject malicious scripts that execute in the browsers of high-privileged administrators. This can result in unauthorized administrative actions, including configuration changes, data exposure, or disruption of mail services. The compromise of administrative credentials or session hijacking could follow, leading to broader network infiltration. Confidentiality is at risk due to potential exposure of sensitive mail server configurations and logs. Integrity is threatened by unauthorized changes to server settings or certificates, potentially undermining secure communications. Availability could be impacted if attackers disrupt mail services or disable critical functions. Given the critical CVSS score of 9.0, the vulnerability poses a high risk of severe operational and reputational damage. Organizations with exposed or poorly secured WebAdmin interfaces are particularly vulnerable. The lack of known exploits in the wild suggests a window for proactive mitigation, but the ease of exploitation and high impact necessitate urgent remediation.

To mitigate CVE-2025-68723 effectively, organizations should: 1) Immediately plan to upgrade Axigen Mail Server to version 10.5.57 or later once the patch is released, as this is the definitive fix. 2) Until patching is possible, restrict access to the WebAdmin interface strictly to trusted administrators via network segmentation, VPNs, or IP whitelisting to reduce exposure. 3) Implement Web Application Firewall (WAF) rules to detect and block suspicious input patterns targeting the vulnerable parameters (log file names, certificate file content, and certificate file names). 4) Enforce strict input validation and output encoding on all user-supplied data within the WebAdmin interface to prevent script injection. 5) Educate administrators about the risk of clicking on suspicious links or accessing untrusted pages within the WebAdmin interface to reduce the risk of executing malicious payloads. 6) Monitor WebAdmin access logs and server logs for unusual activity or repeated access to the vulnerable pages. 7) Consider deploying Content Security Policy (CSP) headers to limit the execution of unauthorized scripts in the administrative interface. 8) Regularly audit and review administrative privileges to ensure least privilege principles are enforced, minimizing the impact of any potential exploitation. These targeted steps go beyond generic advice by focusing on the specific vectors and operational context of the vulnerability.