Description
ManageSieve AUTHENTICATE command crashes when using literal as SASL initial response. This can be used to crash ManageSieve service repeatedly, making it unavailable for other users. Control access to ManageSieve port, or disable the service if it's not needed. Alternatively upgrade to a fixed version. No publicly available exploits are known.
Published: 2026-03-27
Score: 7.5 High
EPSS: < 1% Very Low
KEV: No
Impact: Denial of Service via service crash
Action: Patch Immediately
AI Analysis

Impact

ManageSieve AUTHENTICATE command can crash when a literal SASL initial response is used. This results in the ManageSieve service becoming unavailable, denying legitimate users access to mailbox management functions. The flaw is an input validation error (CWE‑20) that allows an attacker to cause a crash by sending a specially crafted request.

Affected Systems

The vulnerability affects Open-Xchange GmbH’s OX Dovecot Pro. Specific affected versions are not listed in the advisory, so all versions prior to the fixed release should be considered vulnerable until an update is applied.

Risk and Exploitability

The CVSS score of 7.5 indicates high severity. No public exploits are known and the EPSS score is unavailable, suggesting a moderate likelihood of exploitation. The attack requires network access to the ManageSieve port (typically 4190) and the ability to send a crafted AUTHENTICATE command. Because the issue leads to a crash rather than unauthorized data access, the primary risk is availability disruption; confidentiality and integrity remain unchanged.

Generated by OpenCVE AI on March 27, 2026 at 09:38 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to a patched release of OX Dovecot Pro if available.
  • If an upgrade is not immediately possible, restrict or firewall the ManageSieve port to trusted hosts or disable the service entirely if not needed.
  • Monitor server logs for repeated AUTHENTICATE failures or crashes and verify that the service restarts reliably.
  • Consult Open-Xchange documentation for any vendor‑specific guidance.

Generated by OpenCVE AI on March 27, 2026 at 09:38 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 27 Mar 2026 10:00:00 +0000

Type Values Removed Values Added
Title ManageSieve AUTHENTICATE Crash Causing Denial of Service in OX Dovecot Pro

Fri, 27 Mar 2026 08:30:00 +0000

Type Values Removed Values Added
Description ManageSieve AUTHENTICATE command crashes when using literal as SASL initial response. This can be used to crash ManageSieve service repeatedly, making it unavailable for other users. Control access to ManageSieve port, or disable the service if it's not needed. Alternatively upgrade to a fixed version. No publicly available exploits are known.
Weaknesses CWE-20
References
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: OX

Published:

Updated: 2026-03-27T12:33:22.354Z

Reserved: 2025-09-08T14:22:28.105Z

Link: CVE-2025-59032

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-03-27T09:16:18.933

Modified: 2026-03-27T09:16:18.933

Link: CVE-2025-59032

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-27T09:45:46Z

Weaknesses