A critical zero-day remote code execution (RCE) vulnerability in Active! Mail, a widely used Japanese webmail client, is being actively exploited against large organizations in Japan. The flaw, identified as CVE-2025-42599, allows attackers to execute arbitrary code or cause denial-of-service conditions via crafted HTTP requests. According to Japan CERT, the attacks primarily target corporations, universities, and financial institutions, with over 2,250 organizations and 11 million accounts potentially affected1.
Technical Analysis of the Vulnerability
The vulnerability stems from a stack-based buffer overflow in Active! Mail’s handling of multipart/form-data HTTP headers. All versions up to BuildInfo 6.60.05008561 are vulnerable, scoring a CVSS 9.8 due to the low attack complexity and lack of required privileges1. BleepingComputer reports that attackers are sending oversized headers to trigger the overflow, which can lead to either arbitrary code execution or service crashes depending on the payload structure.
Japan CERT has published specific WAF rules to block malicious requests by filtering HTTP headers exceeding 8KB in size. The vendor, Qualitia, released patched version BuildInfo 6.60.06008562 on April 18, 20252. Network traffic analysis shows that successful exploits typically follow this pattern:
POST /mail/api HTTP/1.1
Host: [target]
Content-Type: multipart/form-data; boundary=----WebKitFormBoundary[malicious_payload]
Content-Length: [oversized_value]Broader Threat Landscape in Japan
This attack coincides with multiple other RCE campaigns targeting Japanese infrastructure. Since January 2025, attackers have exploited PHP-CGI (CVE-2024-4577) against tech and e-commerce sectors, using tools like Cobalt Strike and Mimikatz for post-exploitation activities3. Cisco Talos observed credential dumping and lateral movement via Group Policy Object (GPO) abuse in these incidents.
Apache Tomcat servers with partial PUT method support enabled are also under attack (CVE-2025-24813), with GreyNoise detecting exploitation attempts across Japan, the U.S., and India4. Meanwhile, North Korean-linked Kimsuky APT continues exploiting the patched BlueKeep RDP vulnerability (CVE-2019-0708) against Japanese and South Korean targets5.
Mitigation and Detection Strategies
For Active! Mail deployments, organizations should:
- Immediately update to BuildInfo 6.60.06008562
- Implement Japan CERT’s recommended WAF rules for
multipart/form-dataheader size limits - Monitor for abnormal HTTP POST requests to
/mail/apiendpoints
Network defenders should also review logs for:
| Indicator | Detection Method |
|---|---|
| Oversized HTTP headers (>8KB) | WAF/IDS content length inspection |
Unusual process spawning from actmail.exe |
Endpoint detection (EDR) |
| Subsequent Cobalt Strike beacons | Network traffic analysis (JA3/SSL fingerprinting) |
The concurrent exploitation of multiple high-severity vulnerabilities underscores the need for comprehensive patch management. Organizations should prioritize updates for internet-facing systems, particularly webmail servers, VPN gateways, and web application frameworks.
Conclusion
The Active! Mail attacks demonstrate how attackers rapidly weaponize RCE flaws in regionally prevalent software. With over 11 million accounts at risk, this campaign highlights the importance of monitoring less globally recognized applications that may be critical within specific industries or geographic areas. The Japan CERT advisory provides actionable detection rules, while Qualitia’s prompt patch release offers a clear remediation path for affected organizations.
References
- “Active! Mail RCE flaw exploited in attacks on Japanese orgs”, BleepingComputer, 2025.
- “Critical Security Update for Active! Mail”, Qualitia, 2025.
- “PHP-CGI RCE flaw exploited in attacks against Japanese tech firms”, The Hacker News, 2025.
- “Apache Tomcat RCE vulnerability under active exploitation”, Cybersecurity Dive, 2025.
- “Kimsuky APT exploits BlueKeep against Japanese targets”, Security Affairs, 2025.
