CVE-2025-26842
📋 TL;DR
This vulnerability in Znuny allows users with CommunicationLog access to view S/MIME encrypted email content from tickets they shouldn't have access to. It affects all Znuny installations through version 7.1.3 where S/MIME encryption is used. This represents an information disclosure vulnerability that bypasses intended access controls.
💻 Affected Systems
- Znuny
📦 What is this software?
Znuny by Znuny
⚠️ Risk & Real-World Impact
Worst Case
Sensitive encrypted communications (financial data, PII, trade secrets) are exposed to unauthorized internal users, potentially leading to data breaches, regulatory violations, and reputational damage.
Likely Case
Internal users with CommunicationLog access can read confidential emails they shouldn't have permission to view, violating data privacy and confidentiality requirements.
If Mitigated
With proper access controls limiting CommunicationLog permissions to trusted administrators only, the exposure is limited to a small group of privileged users.
🎯 Exploit Status
Exploitation requires authenticated access and CommunicationLog permissions. No special technical skills needed beyond normal user access.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 7.1.4 and later
Vendor Advisory: https://www.znuny.org/en/advisories/zsa-2025-01
Restart Required: Yes
Instructions:
1. Backup your Znuny installation and database. 2. Download Znuny 7.1.4 or later from the official website. 3. Follow the official upgrade procedure for your installation type. 4. Restart the Znuny service. 5. Verify the fix by checking that S/MIME encrypted content is no longer visible in CommunicationLog for unauthorized tickets.
🔧 Temporary Workarounds
Restrict CommunicationLog Access
allLimit CommunicationLog permissions to only essential administrators who absolutely need this functionality.
Disable CommunicationLog Feature
allTemporarily disable CommunicationLog access for all non-essential users until patching can be completed.
🧯 If You Can't Patch
- Immediately restrict CommunicationLog permissions to the smallest possible set of trusted administrators
- Implement additional monitoring and auditing of CommunicationLog access to detect any unauthorized viewing attempts
🔍 How to Verify
Check if Vulnerable:
1. Create a ticket with S/MIME encrypted email content. 2. Assign the ticket to a user who shouldn't have access. 3. Log in as a different user with CommunicationLog access. 4. Navigate to CommunicationLog and check if you can view the encrypted email content from the restricted ticket.Check Version:
Check Admin → System → About in Znuny web interface or run: otrs.CheckModules.pl --allVerify Fix Applied:
After patching, repeat the vulnerable check steps. The encrypted email content should no longer be visible in CommunicationLog for tickets the user doesn't have access to.📡 Detection & Monitoring
Log Indicators:
- Unusual patterns of CommunicationLog access, especially to tickets outside user's normal scope
- Multiple CommunicationLog queries for encrypted email content
Network Indicators:
- Increased traffic to CommunicationLog endpoints from non-administrative users
SIEM Query:
source="znuny" AND (event="CommunicationLog access" OR event="encrypted email view") AND user NOT IN [admin_users_list]