A critical vulnerability (CVE-2025-42599) has been identified in Active! Mail 6, exposing systems to remote code execution and denial-of-service attacks. The stack-based buffer overflow vulnerability affects versions 6.60.05008561 and earlier, with a CVSS score of 9.8 (CRITICAL). Security teams should prioritize patching as active exploitation has been confirmed in the wild.
Executive Summary for Security Leadership
The vulnerability allows unauthenticated remote attackers to execute arbitrary code or crash systems by sending specially crafted requests. QUALITIA CO., LTD. has released a patched version (6.60.06008562) to address this issue. The attack vector is network-based and requires no user interaction, making it particularly dangerous for exposed systems.
- CVSS 3.x Score: 9.8 (CRITICAL)
- Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
- Affected Versions: Active! Mail 6 BuildInfo 6.60.05008561 and earlier
- Patch: Upgrade to BuildInfo 6.60.06008562
- Active Exploitation: Confirmed by JPCERT/CC and vendor
Technical Analysis of CVE-2025-42599
The vulnerability stems from improper bounds checking when processing incoming requests, leading to a stack-based buffer overflow condition (CWE-121). Attackers can craft malicious network packets that overflow the buffer, potentially overwriting return addresses and gaining control of the instruction pointer. This provides a pathway for arbitrary code execution with the privileges of the Active! Mail service.
According to the JVN database entry, the vulnerability is being actively exploited in the wild, though specific attack patterns have not been publicly documented. The lack of authentication requirements and the network-accessible nature of mail servers make this vulnerability particularly attractive to attackers.
Impact and Attack Surface
Successful exploitation could lead to complete system compromise, data exfiltration, or service disruption. The vulnerability affects the core mail processing functionality, meaning any system running vulnerable versions of Active! Mail 6 with network exposure is at risk. Organizations using this software for internal or external mail services should consider them potentially compromised until patched.
QUALITIA CO., LTD. has acknowledged the vulnerability in their advisory, noting that the issue was discovered through external reports and internal testing. The company recommends immediate patching for all affected systems, particularly those accessible from untrusted networks.
Detection and Mitigation
Organizations should immediately inventory systems running Active! Mail 6 and check the BuildInfo version. The following steps are recommended:
- Identify all instances of Active! Mail 6 in your environment
- Verify version numbers against the vulnerable range (≤6.60.05008561)
- Apply the vendor patch (6.60.06008562) as soon as possible
- Monitor network traffic for unusual patterns or exploit attempts
- Consider temporary network isolation for critical systems until patched
For organizations unable to immediately patch, network-level controls such as firewall rules limiting access to mail services may provide temporary mitigation. However, these should not be considered permanent solutions.
Conclusion
CVE-2025-42599 represents a serious threat to organizations using Active! Mail 6, with the combination of high severity, network accessibility, and active exploitation making it a top priority for security teams. The availability of a vendor patch simplifies remediation, though the window for exploitation before patching remains a concern. Security professionals should prioritize identification and patching of affected systems while monitoring for signs of compromise.
References
- “QUALITIA Security Advisory for Active! Mail 6,” QUALITIA CO., LTD., Apr. 18, 2025.
- “JVN#22348866: Active! Mail stack-based buffer overflow vulnerability,” JPCERT/CC, Apr. 18, 2025.
- “CVE-2025-42599 Detail,” NIST NVD, Apr. 18, 2025.
- “INCIBE-CERT Early Warning: CVE-2025-42599,” INCIBE, Apr. 19, 2025.
- “Vulners Database Entry for CVE-2025-42599,” Vulners, Apr. 18, 2025.
- “SecurityOnline Analysis of CVE-2025-42599,” SecurityOnline, Apr. 19, 2025.