CVE-2025-59028 - Vulnerability Details

Description

When sending invalid base64 SASL data, login process is disconnected from the auth server, causing all active authentication sessions to fail. Invalid BASE64 data can be used to DoS a vulnerable server to break concurrent logins. Install fixed version or disable concurrency in login processes (heavy perfomance penalty on large deployments). No publicly available exploits are known.

Published: 2026-03-27

Score: 5.3 Medium

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

The vulnerability occurs when an IMAP/SMTP client sends SASL authentication data that is not valid base64. This causes the authentication process to be disconnected from the authentication server, which in turn terminates all currently active authentication sessions. The result is a denial of service that disrupts concurrent logins to the server; legitimate users cannot authenticate while the server is in this disjoint state. The weakness involves improper handling of base64 decoding and insecure reliance on malformed input, aligning with CWE‑1286 (Container Format Parsing Errors) and CWE‑20 (Improper Input Validation).

Affected Systems

The affected product is Open‑Xchange GmbH’s OX Dovecot Pro. No specific version ranges are supplied in the CNA data; administrators should verify the version of OX Dovecot Pro they are running against the vendor’s advisory for confirmation.

Risk and Exploitability

The CVSS score of 5.3 indicates moderate severity, and the EPSS score is less than 1%, suggesting a low probability of widespread exploitation. The vulnerability is not listed in CISA’s KEV catalog. Exposures arise through normal network connections to the IMAP/SMTP interfaces when a client submits malformed SASL data; however, no publicly available exploits have been reported, so the attack is primarily a crafted DoS scenario rather than a remote code execution.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Open-Xchange GmbH

OX Dovecot Pro

unaffected

Version	Status	Constraints
`0`	affected	≤ 3.1.0
`0`	affected	≤ 2.4.0

No data.

Vendor Product Confidence Versions

Open-xchange

Ox Dovecot Pro

95%

Version	Status	Scheme	Platform
`[0,3.1.0]`	affected	generic	—
`[0,2.4.0]`	affected	generic	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Apply the fixed OX Dovecot Pro release provided by the vendor

Generated by OpenCVE AI on March 28, 2026 at 13:30 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact Low

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00092.

Exploitation none

Automatable yes

Technical Impact partial

References

Link	Providers
https://documentation.open-xchange.com/dovecot/security/advisories/csaf/2026/oxdc-adv-2026-0001.json
https://nvd.nist.gov/vuln/detail/CVE-2025-59028
https://www.cve.org/CVERecord?id=CVE-2025-59028

History

Mon, 30 Mar 2026 07:15:00 +0000

Type	Values Removed	Values Added
First Time appeared		Open-xchange Open-xchange ox Dovecot Pro
Vendors & Products		Open-xchange Open-xchange ox Dovecot Pro

Sat, 28 Mar 2026 17:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Sat, 28 Mar 2026 12:15:00 +0000

Type	Values Removed	Values Added
Title	Denial of Service via Invalid Base64 SASL in OX Dovecot Pro	dovecot: Dovecot: Denial of Service via invalid SASL data
Weaknesses		CWE-1286
References		https://nvd.nist.gov/vuln/detail/CVE-2025-59028 https://www.cve.org/CVERecord?id=CVE-2025-59028
Metrics	threat_severity `None`	threat_severity `Moderate`

Fri, 27 Mar 2026 20:30:00 +0000

Type	Values Removed	Values Added
Title		Denial of Service via Invalid Base64 SASL in OX Dovecot Pro

Fri, 27 Mar 2026 08:30:00 +0000

Type	Values Removed	Values Added
Description		When sending invalid base64 SASL data, login process is disconnected from the auth server, causing all active authentication sessions to fail. Invalid BASE64 data can be used to DoS a vulnerable server to break concurrent logins. Install fixed version or disable concurrency in login processes (heavy perfomance penalty on large deployments). No publicly available exploits are known.
Weaknesses		CWE-20
References		https://documentation.open-xchange.com/dovecot/security/advisories/csaf/2026/oxdc-adv-2026-0001.json
Metrics		cvssV3_1 `{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L'}`

Subscriptions

Open-xchange Ox Dovecot Pro

MITRE

Status: PUBLISHED

Assigner: OX

Published: 2026-03-27T08:10:15.246Z

Updated: 2026-03-27T19:43:08.685Z

Reserved: 2025-09-08T14:22:28.105Z

Link: CVE-2025-59028

Vulnrichment

Updated: 2026-03-27T19:43:04.020Z

NVD

Status : Awaiting Analysis

Published: 2026-03-27T09:16:18.620

Modified: 2026-03-30T13:26:29.793

Link: CVE-2025-59028

Redhat

Severity : Moderate

Publid Date: 2026-03-27T08:10:15Z

Links: CVE-2025-59028 - Bugzilla

OpenCVE Enrichment

Updated: 2026-03-30T07:02:18Z

Weaknesses

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact Low

User Interaction None

Exploitation none

Automatable yes

Technical Impact partial

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object