CVE-2025-56425

An issue was discovered in the AppConnector component version 10.10.0.183 and earlier of enaio 10.10, in the AppConnector component version 11.0.0.183 and earlier of enaio 11.0, and in the AppConnctor component version 11.10.0.183 and earlier of enaio 11.10. The vulnerability allows authenticated remote attackers to inject arbitrary SMTP commands via crafted input to the /osrest/api/organization/sendmail endpoint

CVSS v3 9.1 CRITICAL

9.1^/10

CVSS v3 : CRITICAL

Vector :

Exploitability : 3.9 / Impact : 5.2

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact NONE

Availability Impact HIGH

Scope UNCHANGED

References

Link	Resource
https://mind-bytes.de/smtp-injection-in-enaio-component-appconnector-cve-2025-56425/	Exploit Third Party Advisory
https://www.optimal-systems.de/enaio	Product

Configurations

Configuration 1 (hide)

OR	cpe:2.3:a:optimal-systems:enaio::::::::
	cpe:2.3:a:optimal-systems:enaio::::::::
	cpe:2.3:a:optimal-systems:enaio::::::::

History

No history.

Information

Published : 2026-01-08 17:15

Updated : 2026-01-23 02:15

NVD link : CVE-2025-56425

Mitre link : CVE-2025-56425

CVE.ORG link : CVE-2025-56425

JSON object : View

Products Affected

optimal-systems

enaio

CWE

CWE-77

Improper Neutralization of Special Elements used in a Command ('Command Injection')

{"id": "CVE-2025-56425", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 9.1, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 5.2, "exploitabilityScore": 3.9}]}, "published": "2026-01-08T17:15:47.957", "references": [{"url": "https://mind-bytes.de/smtp-injection-in-enaio-component-appconnector-cve-2025-56425/", "tags": ["Exploit", "Third Party Advisory"], "source": "cve@mitre.org"}, {"url": "https://www.optimal-systems.de/enaio", "tags": ["Product"], "source": "cve@mitre.org"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Secondary", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "description": [{"lang": "en", "value": "CWE-77"}]}], "descriptions": [{"lang": "en", "value": "An issue was discovered in the AppConnector component version 10.10.0.183 and earlier of enaio 10.10, in the AppConnector component version 11.0.0.183 and earlier of enaio 11.0, and in the AppConnctor component version 11.10.0.183 and earlier of enaio 11.10. The vulnerability allows authenticated remote attackers to inject arbitrary SMTP commands via crafted input to the /osrest/api/organization/sendmail endpoint"}], "lastModified": "2026-01-23T02:15:57.013", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:optimal-systems:enaio:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "F788DEB2-E18F-4EBF-AF0B-1DC8F4A8D7C9", "versionEndExcluding": "10.10.0.183", "versionStartIncluding": "10.10.0.0"}, {"criteria": "cpe:2.3:a:optimal-systems:enaio:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "0C7B7328-C113-411C-B67A-A1B0D1451BEA", "versionEndExcluding": "11.0.0.183", "versionStartIncluding": "11.0.0.0"}, {"criteria": "cpe:2.3:a:optimal-systems:enaio:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "B2F05785-8670-4576-9DFC-6E9C44C7D634", "versionEndExcluding": "11.10.0.183", "versionStartIncluding": "11.10.0.0"}], "operator": "OR"}]}], "sourceIdentifier": "cve@mitre.org"}