CVE-2025-7962 is a vulnerability identified in the Eclipse Foundation's Jakarta Mail library version 2.0.2, categorized under CWE-147: Improper Neutralization of Input Terminators. This vulnerability allows an attacker to perform SMTP Injection by exploiting the improper handling of carriage return (\r) and line feed (\n) UTF-8 characters within the mail sending functionality. Specifically, the vulnerability arises because the input terminators are not properly sanitized or neutralized, enabling an attacker to inject additional SMTP commands or separate different messages within the SMTP protocol communication. This can lead to unauthorized command execution on the SMTP server, potentially allowing attackers to send arbitrary emails, manipulate email headers, or conduct phishing and spam campaigns using the compromised mail infrastructure. The CVSS 4.0 base score is 6.0, indicating a medium severity level. The vector string CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:L/SA:N shows that the attack is network-based (AV:N), requires high attack complexity (AC:H), no user interaction (UI:N), low privileges (PR:L), and impacts the integrity of the system (VI:H) with limited scope (SI:L). No known exploits are currently reported in the wild, and no patches have been linked yet, indicating that mitigation may rely on configuration changes or awaiting official updates. The vulnerability affects the Jakarta Mail library, which is widely used in Java applications for email handling, making it a critical component in many enterprise and cloud-based email systems.

For European organizations, this vulnerability poses a significant risk particularly to enterprises relying on Java-based email services and applications that utilize Jakarta Mail 2.0.2. Exploitation could lead to unauthorized email sending, enabling attackers to conduct phishing campaigns, distribute malware, or perform business email compromise (BEC) attacks. This can result in reputational damage, financial losses, and regulatory penalties under GDPR if personal data is exposed or misused. Additionally, the integrity of internal communications may be compromised, affecting trust and operational security. Since many European organizations use Java-based middleware and email solutions, the risk extends across sectors including finance, healthcare, government, and critical infrastructure. The medium CVSS score reflects that while exploitation requires some complexity and low privileges, the potential impact on message integrity is high, which is critical for email systems. The lack of user interaction requirement means automated attacks could be feasible once the vulnerability is discovered and weaponized.

European organizations should immediately audit their use of Jakarta Mail libraries, specifically checking for version 2.0.2 usage. Until an official patch is released, organizations should implement strict input validation and sanitization on all email-related inputs to neutralize carriage return and line feed characters. Network-level controls such as restricting SMTP relay access, enforcing strong authentication on SMTP servers, and monitoring SMTP traffic for anomalous command sequences can reduce risk. Application-level mitigations include upgrading to a non-vulnerable version of Jakarta Mail once available or applying vendor-provided patches. Additionally, organizations should enhance email security monitoring to detect unusual outbound email patterns indicative of SMTP injection attempts. Employing email authentication protocols like SPF, DKIM, and DMARC can help mitigate the impact of spoofed emails resulting from exploitation. Finally, security teams should prepare incident response plans specific to email compromise scenarios and educate users about phishing risks.