Description
ManageSieve AUTHENTICATE command crashes when using literal as SASL initial response. This can be used to crash ManageSieve service repeatedly, making it unavailable for other users. Control access to ManageSieve port, or disable the service if it's not needed. Alternatively upgrade to a fixed version. No publicly available exploits are known.
Published: 2026-03-27
Score: 7.5 High
EPSS: < 1% Very Low
KEV: No
Impact: Denial of Service
Action: Patch Upgrade
AI Analysis

Impact

The vulnerability in Open‑Xchange GmbH’s OX Dovecot Pro occurs when a client sends an AUTHENTICATE command containing a literal SASL initial response, causing the ManageSieve service to crash. This crash denies legitimate users access to the service until it is restarted. The weakness is tied to improper input validation, as indicated by CWE‑20 and exhibits characteristics that may involve memory corruption, per CWE‑229. No publicly available exploits have been reported.

Affected Systems

This issue targets the ManageSieve component of OX Dovecot Pro. The advisory does not list specific affected versions, so any deployed instance of OX Dovecot Pro may be vulnerable.

Risk and Exploitability

The CVSS score of 7.5 indicates high severity. The EPSS score of less than 1% suggests a low likelihood of exploitation in the wild. The vulnerability is not listed in the CISA Known Exploited Vulnerabilities catalog, and no public exploits are known. The likely attack vector is remote, over the network via the ManageSieve service port, inferred from the nature of the service; an attacker could send a crafted AUTHENTICATE request from any reachable host, leading to repeated crashes.

Generated by OpenCVE AI on March 30, 2026 at 13:51 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to a patched version of OX Dovecot Pro
  • Restrict network access to the ManageSieve port
  • Disable the ManageSieve service if it is not required

Generated by OpenCVE AI on March 30, 2026 at 13:51 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Debian DSA Debian DSA DSA-6197-1 dovecot security update
Debian DSA Debian DSA DSA-6197-2 dovecot regression update
Ubuntu USN Ubuntu USN USN-8136-1 Dovecot vulnerabilities
History

Thu, 30 Apr 2026 18:00:00 +0000

Type Values Removed Values Added
First Time appeared Dovecot
Dovecot dovecot
Open-xchange dovecot
Weaknesses NVD-CWE-noinfo
CPEs cpe:2.3:a:dovecot:dovecot:*:*:*:*:*:*:*:*
cpe:2.3:a:open-xchange:dovecot:*:*:*:*:pro:*:*:*
Vendors & Products Dovecot
Dovecot dovecot
Open-xchange dovecot

Mon, 30 Mar 2026 12:15:00 +0000

Type Values Removed Values Added
Title ManageSieve AUTHENTICATE Crash Causing Denial of Service in OX Dovecot Pro dovecot: ManageSieve: Denial of Service via crafted SASL initial response in AUTHENTICATE command
Weaknesses CWE-229
References
Metrics threat_severity

None

 threat_severity

Important

Mon, 30 Mar 2026 07:15:00 +0000

Type Values Removed Values Added
First Time appeared Open-xchange
Open-xchange ox Dovecot Pro
Vendors & Products Open-xchange
Open-xchange ox Dovecot Pro

Sat, 28 Mar 2026 17:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 27 Mar 2026 10:00:00 +0000

Type Values Removed Values Added
Title ManageSieve AUTHENTICATE Crash Causing Denial of Service in OX Dovecot Pro

Fri, 27 Mar 2026 08:30:00 +0000

Type Values Removed Values Added
Description ManageSieve AUTHENTICATE command crashes when using literal as SASL initial response. This can be used to crash ManageSieve service repeatedly, making it unavailable for other users. Control access to ManageSieve port, or disable the service if it's not needed. Alternatively upgrade to a fixed version. No publicly available exploits are known.
Weaknesses CWE-20
References
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H'}

Subscriptions

Dovecot Dovecot
Open-xchange Dovecot Ox Dovecot Pro
cve-icon MITRE

Status: PUBLISHED

Assigner: OX

Published:

Updated: 2026-03-27T19:42:05.292Z

Reserved: 2025-09-08T14:22:28.105Z

Link: CVE-2025-59032

cve-icon Vulnrichment

Updated: 2026-03-27T19:41:58.648Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-27T09:16:18.933

Modified: 2026-04-30T17:47:03.487

Link: CVE-2025-59032

cve-icon Redhat

Severity : Important

Publid Date: 2026-03-27T08:10:16Z

Links: CVE-2025-59032 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-03-30T20:57:06Z

Weaknesses