CVE-2025-1741
📋 TL;DR
This vulnerability in b1gMail allows remote attackers to perform deserialization attacks via the query/q parameter in the admin users.php file. It affects b1gMail installations up to version 7.4.1-pl1, potentially allowing attackers to execute arbitrary code or manipulate application data. Only systems with the vulnerable component exposed are affected.
💻 Affected Systems
- b1gMail
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Remote code execution leading to complete system compromise, data theft, or server takeover
Likely Case
Application data manipulation, privilege escalation, or denial of service
If Mitigated
Limited impact due to proper input validation and access controls
🎯 Exploit Status
Exploitation requires access to admin functionality; proof-of-concept details available in public gist
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 7.4.1-pl2
Vendor Advisory: https://github.com/b1gMail-OSS/b1gMail/releases/tag/7.4.1-pl2
Restart Required: No
Instructions:
1. Backup current installation. 2. Download version 7.4.1-pl2 from official repository. 3. Replace affected files. 4. Verify patch application using commit hash 4816c8b748f6a5b965c8994e2cf10861bf6e68aa.
🔧 Temporary Workarounds
Input Validation Filter
allAdd input validation to sanitize query/q parameter before deserialization
Modify src/admin/users.php to validate/sanitize query parameters before processing
Access Restriction
allRestrict access to admin pages to trusted IP addresses only
Add IP whitelisting to .htaccess or web server configuration for admin directory
🧯 If You Can't Patch
- Implement strict input validation for all query parameters
- Restrict admin page access to internal networks only
🔍 How to Verify
Check if Vulnerable:
Check if b1gMail version is 7.4.1-pl1 or earlier and if src/admin/users.php exists with vulnerable codeCheck Version:
Check version in b1gMail admin panel or examine version files in installation directoryVerify Fix Applied:
Verify commit hash 4816c8b748f6a5b965c8994e2cf10861bf6e68aa is present in installation📡 Detection & Monitoring
Log Indicators:
- Unusual query parameters in admin access logs
- Multiple failed deserialization attempts
Network Indicators:
- Suspicious POST requests to admin/users.php with crafted query parameters
SIEM Query:
source="web_access.log" AND uri="/admin/users.php" AND (query="*" OR q="*")🔗 References
- https://gist.github.com/mcdruid/cb0b848c12fd6a6bc0c1b3357b983d30
- https://github.com/b1gMail-OSS/b1gMail/commit/4816c8b748f6a5b965c8994e2cf10861bf6e68aa
- https://github.com/b1gMail-OSS/b1gMail/releases/tag/7.4.1-pl2
- https://vuldb.com/?ctiid.297829
- https://vuldb.com/?id.297829
- https://vuldb.com/?submit.505838
- https://www.b1gmail.eu/forum/thread/217-security-update-to-b1gmail-7-4-1-released/
