How to fix CVE-2025-53603?

Within 7 days: Identify all affected systems running Alinto SOPE SOGo 2.0.2 and apply vendor patches promptly. Monitor vendor channels for patch availability.

Is Null Pointer Dereference affected by CVE-2025-53603?

Organizations using Alinto SOPE SOGo 2.0.2 face notable risk from CVE-2025-53603, a null pointer dereference vulnerability rated CVSS 7.5. Exploitation could compromise the security of affected deployments.

CVE-2025-53603

EUVD-2025-20097 HIGH

2025-07-05 [email protected]

7.5

CVSS 3.1

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

None

Integrity

None

Availability

High

Lifecycle Timeline

Patch Released

Mar 31, 2026 - 21:13 nvd

Patch available

Analysis Generated

Mar 16, 2026 - 03:19 vuln.today

EUVD ID Assigned

Mar 16, 2026 - 03:19 euvd

EUVD-2025-20097

CVE Published

Jul 05, 2025 - 01:15 nvd

HIGH 7.5

Description

In Alinto SOPE SOGo 2.0.2 through 5.12.2, sope-core/NGExtensions/NGHashMap.m allows a NULL pointer dereference and SOGo crash via a request in which a parameter in the query string is a duplicate of a parameter in the POST body.

Analysis

Technical Context

A NULL pointer dereference occurs when the application attempts to use a pointer that has not been initialized or has been set to NULL.

Remediation

Add NULL checks before pointer dereference operations. Use static analysis to identify potential NULL pointer issues. Enable compiler warnings.

Priority Score

Low Medium High Critical

KEV: 0

EPSS: +0.0

CVSS: +38

POC: 0

Vendor Status

Ubuntu

Priority: Medium

sogo

Release	Status	Version
xenial	needs-triage	-
bionic	needs-triage	-
focal	needs-triage	-
jammy	needs-triage	-
noble	DNE	-
upstream	needs-triage	-
oracular	ignored	end of life, was needs-triage
plucky	ignored	end of life, was needs-triage
questing	needs-triage	-

Debian

Bug #1108798

sope

Release	Status	Fixed Version	Urgency
bullseye	fixed	5.0.1-2+deb11u1	-
bullseye (security)	fixed	5.0.1-2+deb11u1	-
bookworm, bookworm (security)	fixed	5.8.0-1+deb12u1	-
trixie	fixed	5.12.1-2	-
forky, sid	fixed	5.12.4-1	-
bookworm	fixed	5.8.0-1+deb12u1	-
(unstable)	fixed	5.12.1-2	-

DLA-4260-1 DSA-5970-1

CVE-2025-53603 vulnerability details – vuln.today

Back

CVE-2025-53603

CVSS Vector

Lifecycle Timeline

Tags

Description

Analysis

Technical Context

Remediation

Priority Score

Vendor Status

Ubuntu

Debian

Share

CVE-2025-53603

CVSS Vector

Lifecycle Timeline

Tags

Description

Analysis

Technical Context

Remediation

Priority Score

Vendor Status

Ubuntu

Debian

Share

External POC / Exploit Code