{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-59028", "assignerOrgId": "8ce71d90-2354-404b-a86e-bec2cc4e6981", "state": "PUBLISHED", "assignerShortName": "OX", "dateReserved": "2025-09-08T14:22:28.105Z", "datePublished": "2026-03-27T08:10:15.246Z", "dateUpdated": "2026-03-27T19:43:08.685Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "modules": ["core"], "product": "OX Dovecot Pro", "vendor": "Open-Xchange GmbH", "versions": [{"lessThanOrEqual": "3.1.0", "status": "affected", "version": "0", "versionType": "semver"}, {"lessThanOrEqual": "2.4.0", "status": "affected", "version": "0", "versionType": "semver"}]}], "descriptions": [{"lang": "en", "value": "When sending invalid base64 SASL data, login process is disconnected from the auth server, causing all active authentication sessions to fail. Invalid BASE64 data can be used to DoS a vulnerable server to break concurrent logins. Install fixed version or disable concurrency in login processes (heavy perfomance penalty on large deployments). No publicly available exploits are known."}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-20", "description": "Improper Input Validation", "lang": "en", "type": "cwe"}]}], "providerMetadata": {"orgId": "8ce71d90-2354-404b-a86e-bec2cc4e6981", "shortName": "OX", "dateUpdated": "2026-03-27T12:33:19.644Z"}, "references": [{"tags": ["vendor-advisory"], "url": "https://documentation.open-xchange.com/dovecot/security/advisories/csaf/2026/oxdc-adv-2026-0001.json"}], "source": {"defect": "DOV-8349", "discovery": "INTERNAL"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-27T19:42:58.044355Z", "id": "CVE-2025-59028", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-27T19:43:08.685Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-59028", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-27T19:42:58.044355Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-27T19:43:04.020Z"}}], "cna": {"source": {"defect": "DOV-8349", "discovery": "INTERNAL"}, "metrics": [{"format": "CVSS", "cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "LOW", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "Open-Xchange GmbH", "modules": ["core"], "product": "OX Dovecot Pro", "versions": [{"status": "affected", "version": "0", "versionType": "semver", "lessThanOrEqual": "3.1.0"}, {"status": "affected", "version": "0", "versionType": "semver", "lessThanOrEqual": "2.4.0"}], "defaultStatus": "unaffected"}], "references": [{"url": "https://documentation.open-xchange.com/dovecot/security/advisories/csaf/2026/oxdc-adv-2026-0001.json", "tags": ["vendor-advisory"]}], "descriptions": [{"lang": "en", "value": "When sending invalid base64 SASL data, login process is disconnected from the auth server, causing all active authentication sessions to fail. Invalid BASE64 data can be used to DoS a vulnerable server to break concurrent logins. Install fixed version or disable concurrency in login processes (heavy perfomance penalty on large deployments). No publicly available exploits are known."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "cwe", "cweId": "CWE-20", "description": "Improper Input Validation"}]}], "providerMetadata": {"orgId": "8ce71d90-2354-404b-a86e-bec2cc4e6981", "shortName": "OX", "dateUpdated": "2026-03-27T12:33:19.644Z"}}}, "cveMetadata": {"cveId": "CVE-2025-59028", "state": "PUBLISHED", "dateUpdated": "2026-03-27T19:43:08.685Z", "dateReserved": "2025-09-08T14:22:28.105Z", "assignerOrgId": "8ce71d90-2354-404b-a86e-bec2cc4e6981", "datePublished": "2026-03-27T08:10:15.246Z", "assignerShortName": "OX"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "When sending invalid base64 SASL data, login process is disconnected from the auth server, causing all active authentication sessions to fail. Invalid BASE64 data can be used to DoS a vulnerable server to break concurrent logins. Install fixed version or disable concurrency in login processes (heavy perfomance penalty on large deployments). No publicly available exploits are known."}], "id": "CVE-2025-59028", "lastModified": "2026-03-30T13:26:29.793", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 1.4, "source": "security@open-xchange.com", "type": "Secondary"}]}, "published": "2026-03-27T09:16:18.620", "references": [{"source": "security@open-xchange.com", "url": "https://documentation.open-xchange.com/dovecot/security/advisories/csaf/2026/oxdc-adv-2026-0001.json"}], "sourceIdentifier": "security@open-xchange.com", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-20"}], "source": "security@open-xchange.com", "type": "Secondary"}]}

{"bugzilla": {"description": "dovecot: Dovecot: Denial of Service via invalid SASL data", "id": "2452178", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2452178"}, "csaw": false, "cvss3": {"cvss3_base_score": "5.3", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", "status": "draft"}, "cwe": "CWE-1286", "details": ["When sending invalid base64 SASL data, login process is disconnected from the auth server, causing all active authentication sessions to fail. Invalid BASE64 data can be used to DoS a vulnerable server to break concurrent logins. Install fixed version or disable concurrency in login processes (heavy perfomance penalty on large deployments). No publicly available exploits are known.", "A flaw was found in Dovecot. A remote attacker can exploit this vulnerability by sending invalid base64 Simple Authentication and Security Layer (SASL) data to the server. This action disconnects the login process from the authentication server, causing all active authentication sessions to fail. Consequently, this can lead to a Denial of Service (DoS) for concurrent logins, preventing legitimate users from authenticating."], "name": "CVE-2025-59028", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:10", "fix_state": "Fix deferred", "package_name": "dovecot", "product_name": "Red Hat Enterprise Linux 10"}, {"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Out of support scope", "package_name": "dovecot", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Fix deferred", "package_name": "dovecot", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Fix deferred", "package_name": "dovecot", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Fix deferred", "package_name": "dovecot", "product_name": "Red Hat Enterprise Linux 9"}], "public_date": "2026-03-27T08:10:15Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2025-59028\nhttps://nvd.nist.gov/vuln/detail/CVE-2025-59028\nhttps://documentation.open-xchange.com/dovecot/security/advisories/csaf/2026/oxdc-adv-2026-0001.json"], "threat_severity": "Moderate"}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[0,3.1.0]"}}, {"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[0,2.4.0]"}}], "enrichment": {"confidence": 95.0, "confidence_source": "inferred", "scores": [{"score": 95.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "original": {"product": "OX Dovecot Pro", "source": "cna", "vendor": "Open-Xchange GmbH"}, "product": "ox_dovecot_pro", "vendor": "open-xchange"}], "analysis": {"en": {"generated_at": "2026-03-28T13:30:09.613021+00:00", "value": {"mitigation_remediation": ["Apply the fixed OX Dovecot Pro release provided by the vendor"], "summary": {"action": "Patch or Disable", "impact": "Denial of Service via SASL authentication failure"}, "threat_synthesis": {"affected_systems": "The affected product is Open\u2011Xchange GmbH\u2019s OX Dovecot Pro. No specific version ranges are supplied in the CNA data; administrators should verify the version of OX Dovecot Pro they are running against the vendor\u2019s advisory for confirmation.", "description_and_impact": "The vulnerability occurs when an IMAP/SMTP client sends SASL authentication data that is not valid base64. This causes the authentication process to be disconnected from the authentication server, which in turn terminates all currently active authentication sessions. The result is a denial of service that disrupts concurrent logins to the server; legitimate users cannot authenticate while the server is in this disjoint state. The weakness involves improper handling of base64 decoding and insecure reliance on malformed input, aligning with CWE\u20111286 (Container Format Parsing Errors) and CWE\u201120 (Improper Input Validation).", "risk_and_exploitability": "The CVSS score of 5.3 indicates moderate severity, and the EPSS score is less than 1%, suggesting a low probability of widespread exploitation. The vulnerability is not listed in CISA\u2019s KEV catalog. Exposures arise through normal network connections to the IMAP/SMTP interfaces when a client submits malformed SASL data; however, no publicly available exploits have been reported, so the attack is primarily a crafted DoS scenario rather than a remote code execution."}}}}, "created": "2026-03-27T15:47:13.222887+00:00", "updated": "2026-03-30T07:02:18.153518+00:00", "vendors": ["open-xchange", "open-xchange$PRODUCT$ox_dovecot_pro"]}