CVE-2025-68643 in Mail Server
Summary
by MITRE • 02/05/2026
Axigen Mail Server before 10.5.57 allows stored Cross-Site Scripting (XSS) in the handling of the timeFormat account preference parameter. Attackers can exploit this by deploying a multi-stage attack. In the first stage, a malicious JavaScript payload is injected into the timeFormat preference by exploiting a separate vulnerability or using compromised credentials. In the second stage, when the victim logs into the WebMail interface, the unsanitized timeFormat value is loaded from storage and inserted into the DOM, causing the injected script to execute.
VulDB is the best source for vulnerability data and more expert information about this specific topic.
Analysis
by VulDB Data Team • 02/12/2026
The vulnerability CVE-2025-68643 represents a stored cross-site scripting flaw in Axigen Mail Server versions prior to 10.5.57, specifically affecting the timeFormat account preference parameter. This issue falls under the CWE-79 category of Cross-Site Scripting, where malicious scripts can be injected and executed within the context of a victim's browser session. The vulnerability demonstrates a critical weakness in input validation and output sanitization mechanisms within the mail server's web interface, creating a persistent threat vector that can be exploited through legitimate user interactions.
The technical exploitation of this vulnerability requires a multi-stage attack approach that leverages both the stored XSS capability and existing access privileges. In the initial phase, attackers must first gain the ability to modify account preferences through either exploiting a separate vulnerability within the system or by obtaining compromised credentials through social engineering, credential theft, or other unauthorized access methods. The second stage executes when a victim user accesses the WebMail interface, triggering the execution of malicious JavaScript code that was previously stored in the timeFormat parameter. This execution occurs because the application fails to properly sanitize the stored value before rendering it within the web page's DOM structure, creating an ideal environment for persistent script injection attacks.
The operational impact of this vulnerability extends beyond simple script execution, potentially enabling attackers to perform session hijacking, credential theft, data exfiltration, and privilege escalation within the mail server environment. Attackers can leverage this vulnerability to establish persistent access to user accounts, monitor communications, modify email content, or even gain administrative privileges if they can escalate their access level. The stored nature of the vulnerability means that the malicious payload remains active until the affected parameter is modified or the application is updated, creating a long-term threat that can affect multiple users over extended periods. This vulnerability aligns with ATT&CK technique T1566.001 for initial access through spearphishing attachments and T1059.001 for command and control through script-based attacks.
Organizations using affected Axigen Mail Server versions should implement immediate mitigations including updating to version 10.5.57 or later, implementing strict input validation for all user-controllable parameters, and deploying web application firewalls to detect and block suspicious payload delivery. Additionally, administrators should conduct thorough security audits of user permissions, implement multi-factor authentication, and monitor for unusual account modifications that might indicate exploitation attempts. The vulnerability underscores the importance of proper output encoding and input sanitization practices, particularly for web applications handling user preferences and configuration data, as recommended in OWASP Top Ten security guidelines and NIST Cybersecurity Framework standards for secure software development practices.