CVE-2025-40630— Open redirection vulnerability in IceWarp Mail Server
Get alerts for future matching vulnerabilitiesLog in to subscribe
I. Basic Information for CVE-2025-40630
Vulnerability Information
Have questions about the vulnerability? See if Shenlong's analysis helps!
View Shenlong Deep Dive ↗ Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
Open redirection vulnerability in IceWarp Mail Server
Source: NVD (National Vulnerability Database)
Vulnerability Description
Open redirection vulnerability in IceWarp Mail Server affecting version 11.4.0. This vulnerability allows an attacker to redirect a user to any domain by sending a malicious URL to the victim, for example “ https://icewarp.domain.com//<MALICIOUS_DOMAIN>/%2e%2e” https://icewarp.domain.com///%2e%2e” . This vulnerability has been tested in Firefox.
Source: NVD (National Vulnerability Database)
CVSS Information
N/A
Source: NVD (National Vulnerability Database)
Vulnerability Type
指向未可信站点的URL重定向(开放重定向)
Source: NVD (National Vulnerability Database)
Vulnerability Title
IceWarp Mail Server 输入验证错误漏洞
Source: CNNVD (China National Vulnerability Database)
Vulnerability Description
IceWarp Mail Server是捷克爱思华宝(IceWarp)公司的一款邮件服务器产品。该产品支持电子邮件归档、SmartAttach附件、自动迁移等。 IceWarp Mail Server 11.4.0版本存在输入验证错误漏洞,该漏洞源于开放重定向,可能导致用户被重定向到任意域。
Source: CNNVD (China National Vulnerability Database)
CVSS Information
N/A
Source: CNNVD (China National Vulnerability Database)
Vulnerability Type
N/A
Source: CNNVD (China National Vulnerability Database)
Affected Products
| Vendor | Product | Affected Versions | CPE | Subscribe |
|---|---|---|---|---|
| Icewarp | Icewarp Mail Server | 11.4.0 | - |
II. Public POCs for CVE-2025-40630
| # | POC Description | Source Link | Shenlong Link |
|---|---|---|---|
| 1 | IceWarp Mail Server version 11.4.0 and below contains an open redirect vulnerability that allows attackers to redirect users to arbitrary external domains through malicious URLs. | https://github.com/projectdiscovery/nuclei-templates/blob/main/http/cves/2025/CVE-2025-40630.yaml | POC Details |
AI-Generated POCPremium
No public POC found.
Login to generate AI POCIII. Intelligence Information for CVE-2025-40630
请登录查看更多情报信息。
Same Patch Batch · Icewarp · 2025-05-16 · 3 CVEs total
| CVE-2025-40632 | Cross-site scripting (XSS) vulnerability in IceWarp Mail Server | |
| CVE-2025-40631 | HTTP host header injection vulnerability in IceWarp Mail Server |
IV. Related Vulnerabilities
Same vendor: Icewarp
- CVE-2018-25269
ICEWARP 11.0.0.0 Cross-Site Scripting via Email HTML Injecti - CVE-2026-2493
IceWarp collaboration Directory Traversal Information Disclo - CVE-2025-14500
IceWarp14 X-File-Operation Command Injection Remote Code Exe - CVE-2025-14499
IceWarp gmaps Cross-Site Scripting Authentication Bypass Vul - CVE-2025-40632
Cross-site scripting (XSS) vulnerability in IceWarp Mail Ser
Same weakness: CWE-601
- CVE-2026-42350
Kargo: Open Redirect in UI OIDC Login Flow via redirectTo Qu - CVE-2026-42195
Unvalidated gitlab URL parameter redirects OAuth authorize s - CVE-2026-3318
Multiple vulnerabilities in Cradle e-commerce - CVE-2026-42259
Saltcorn: Open Redirect in `POST /auth/login` due to incompl - CVE-2026-6795
Open Redirect in DivvyDrive Information Technologies' DivvyD
V. Comments for CVE-2025-40630
No comments yet