How to fix EUVD-2025-209088?

Within 30 days: Identify affected systems and apply vendor patches as part of regular patch cycle. Monitor vendor channels for patch availability.

Is Redhat affected by EUVD-2025-209088?

CVE-2025-59028 presents moderate security risk, a input validation vulnerability rated CVSS 5.3. Exploitation could compromise the security of affected deployments. Organizations should apply vendor updates when available and monitor for exploitation.

EUVD-2025-209088

| CVE-2025-59028 MEDIUM

2026-03-27 OX

GHSA-9q9x-wwfr-fxqm

5.3

CVSS 3.1

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

None

Integrity

None

Availability

Low

Lifecycle Timeline

Patch Released

Mar 31, 2026 - 13:49 nvd

Patch available

EUVD ID Assigned

Mar 27, 2026 - 08:30 euvd

EUVD-2025-209088

Analysis Generated

Mar 27, 2026 - 08:30 vuln.today

CVE Published

Mar 27, 2026 - 08:10 nvd

MEDIUM 5.3

Description

When sending invalid base64 SASL data, login process is disconnected from the auth server, causing all active authentication sessions to fail. Invalid BASE64 data can be used to DoS a vulnerable server to break concurrent logins. Install fixed version or disable concurrency in login processes (heavy perfomance penalty on large deployments). No publicly available exploits are known.

Analysis

OX Dovecot Pro authentication server becomes disconnected when processing invalid base64 SASL data, causing all concurrent active authentication sessions to fail and enabling denial-of-service attacks against login infrastructure. Unauthenticated remote attackers can trigger this condition with minimal attack complexity by sending malformed base64 sequences to the SASL authentication handler. No public exploit code is currently available, and the vulnerability carries a CVSS score of 5.3 reflecting limited availability impact without confidentiality or integrity compromise.

Technical Context

The vulnerability resides in the SASL (Simple Authentication and Security Layer) authentication mechanism implemented within OX Dovecot Pro (CPE:cpe:2.3:a:open-xchange_gmbh:ox_dovecot_pro:*:*:*:*:*:*:*:*). The root cause is classified under CWE-20 (Improper Input Validation), indicating insufficient validation of base64-encoded authentication data before processing. When the SASL handler receives malformed or invalid base64 sequences, the authentication server unexpectedly disconnects from its authentication subsystem rather than gracefully rejecting the malformed input. This architectural failure cascades to terminate all concurrent authentication sessions sharing the same server instance, as the entire authentication channel is severed rather than isolated to the offending request. The vulnerability exposes a gap in input sanitization and error handling within the base64 decoding and SASL protocol state machine.

Affected Products

OX Dovecot Pro (Open-Xchange GmbH) is the sole affected product according to available intelligence. The vulnerability affects all versions of OX Dovecot Pro as indicated by the CPE designation (cpe:2.3:a:open-xchange_gmbh:ox_dovecot_pro:*:*:*:*:*:*:*:*), with the asterisk wildcard suggesting no specific version range boundary is disclosed in public documentation. The vendor security advisory is located at https://documentation.open-xchange.com/dovecot/security/advisories/csaf/2026/oxdc-adv-2026-0001.json per the referenced CSAF advisory published by OX.

Remediation

Upgrade OX Dovecot Pro to the patched version specified in the vendor advisory at https://documentation.open-xchange.com/dovecot/security/advisories/csaf/2026/oxdc-adv-2026-0001.json. The vendor advisory notes that a fixed version is available, though the specific version number requires consultation of the CSAF document. As an interim mitigation prior to patch deployment, the vendor recommends disabling concurrency in login processes, though this introduces a significant performance penalty on large deployments and should be considered a temporary measure only. Organizations should also implement network-level rate limiting on SASL authentication endpoints to reduce the effective denial-of-service surface, and consider isolating Dovecot Pro instances with connection-state monitoring to rapidly detect and contain cascading session failures.

Priority Score

Low Medium High Critical

KEV: 0

EPSS: +0.1

CVSS: +26

POC: 0

Vendor Status

Ubuntu

Priority: Medium

dovecot

Release	Status	Version
trusty	not-affected	2.4.1+ only
xenial	not-affected	2.4.1+ only
bionic	not-affected	2.4.1+ only
focal	not-affected	2.4.1+ only
jammy	not-affected	2.4.1+ only
noble	not-affected	2.4.1+ only
questing	needed	-
upstream	released	2.4.3

Debian

dovecot

Release	Status	Fixed Version	Urgency
bullseye	vulnerable	1:2.3.13+dfsg1-2+deb11u1	-
bullseye (security)	vulnerable	1:2.3.13+dfsg1-2+deb11u2	-
bookworm, bookworm (security)	vulnerable	1:2.3.19.1+dfsg1-2.1+deb12u1	-
trixie	vulnerable	1:2.4.1+dfsg1-6+deb13u3	-
trixie (security)	vulnerable	1:2.4.1+dfsg1-6+deb13u1	-
forky, sid	vulnerable	1:2.4.2+dfsg1-4	-
(unstable)	fixed	(unfixed)	-

EUVD-2025-209088 vulnerability details – vuln.today

Back

EUVD-2025-209088

CVSS Vector

Lifecycle Timeline

Tags

Description

Analysis

Technical Context

Affected Products

Remediation

Priority Score

Vendor Status

Ubuntu

Debian

Share

EUVD-2025-209088

CVSS Vector

Lifecycle Timeline

Tags

Description

Analysis

Technical Context

Affected Products

Remediation

Priority Score

Vendor Status

Ubuntu

Debian

Share

External POC / Exploit Code