Active! Mail remote code execution flaw actively exploited
Take action: If you are running Active! Mail webmail based service, disable it immediately and start patching. Because hackers are actively attacking it. You can try to mitigate the issue by blocking multipart/form-data headers, but that's not really a fix. Better to disable it fully, patch, then reactivate the service.
Learn More
A critical remote code execution vulnerability in Active! Mail is reported as actively exploited in attacks targeting large organizations in Japan. This web-based email client, developed initially by TransWARE and later acquired by Qualitia, is widely used in Japanese corporate environments with over 2,250 organizations and approximately 11 million accounts affected.
The vulnerability is tracked as CVE-2025-42599 (CVSS score 9.8), is a stack-based buffer overflow that allows remote unauthenticated attackers to send specially crafted requests that could lead to arbitrary code execution or denial-of-service (DoS) conditions
The flaw impacts all versions of Active Mail up to and including 'BuildInfo: 6.60.05008561' across all supported operating systems.
Qualitia released a security bulletin confirming the vulnerability and Japan's CERT has verified its active exploitation status. Multiple service providers have already reported attacks, including Kagoya Japan and WADAX, both of whom have temporarily suspended their Active! Mail services as a precautionary measure to protect customers.
Qualitia has released version 6.60.06008562 to address this vulnerability, and all users are strongly urged to update immediately. For organizations unable to apply the security update promptly, Japan's CERT has suggested mitigation steps:
- Configure Web Application Firewalls (WAF) to enable HTTP request body inspection
- Block multipart/form-data headers if their size exceeds a certain threshold
