What is Qualitia Active! Mail?
Qualitia Active! Mail is a Japanese webmail platform widely deployed by universities, ISPs, and web hosting providers throughout Japan to provide browser-based email access to large user bases. It is one of the leading webmail solutions in the Japanese enterprise and education market, with significant deployment across Japanese universities and shared hosting providers. Because Active! Mail serves as the primary email interface for many organizations' users, a pre-authentication RCE vulnerability exposes all user email accounts and potentially the underlying server infrastructure. The concentrated deployment in Japan's academic and hosting sectors makes it a focused target for attackers seeking access to Japanese organizational data.
Overview
CVE-2025-42599 is a critical stack-based buffer overflow vulnerability (CWE-121, CVSS 9.8) in Qualitia Active! Mail 6. A specially crafted HTTP request triggers insufficient bounds checking on attacker-supplied input, overflowing a stack buffer and enabling arbitrary code execution on the server — with no authentication required. Exploitation was detected as a zero-day on 15 April 2025, three days before Qualitia's advisory. Attacks were focused entirely on Japanese organizations: universities, hosting providers (Kagoya Japan, WADAX), and ISPs, with over 11 million user accounts estimated at risk.
Affected Versions
| Product | Vulnerable | Fixed |
|---|---|---|
| Active! Mail 6 | BuildInfo 6.60.05008561 and earlier | BuildInfo 6.60.06008562 |
Technical Details
The vulnerability (CWE-121: Stack-Based Buffer Overflow) is in Active! Mail's HTTP request processing layer. The application fails to validate the length of attacker-supplied input before copying it into a fixed-size stack buffer. By sending a specially crafted HTTP request containing an oversized value in the relevant field, an attacker overflows the stack buffer, overwriting the saved return address and enabling control of the instruction pointer. With ASLR and stack canary defenses either absent or bypassable in the affected version, the attacker achieves arbitrary code execution as the webmail service user.
The vulnerability is reachable without authentication — the vulnerable parsing occurs before any login or session check. CVSS 9.8: network-accessible, no authentication, no user interaction required. Qualitia noted that "procedures for confirming attacks targeting this vulnerability are complex" — indicating the exploitation pattern is subtle and may be difficult to detect in logs without specific forensic tooling.
Discovery
Not publicly attributed to an individual researcher. Reported through JPCERT/CC's coordinated vulnerability disclosure program (JVN#22348866). IIJ (Internet Initiative Japan) first detected active exploitation in the wild on April 15, 2025.
Exploitation Context
Zero-day exploitation began April 15, 2025 — three days before Qualitia's advisory — detected by IIJ. Attack targets were concentrated entirely in Japan:
- Kagoya Japan (web hosting provider): reported external attacks targeting Active! Mail deployments; temporarily suspended service to protect customers.
- WADAX (web hosting provider): reported similar attack activity.
- Multiple Japanese universities: at least 63 universities using Active! Mail were identified as exposed.
Over 227 internet-exposed Active! Mail servers were identified, putting an estimated 11 million user accounts at risk. CISA added CVE-2025-42599 to the KEV catalog on 28 April 2025, one of the fastest CISA KEV additions for a Japan-specific product, reflecting the severity and confirmed exploitation. No specific threat actor has been publicly attributed.
Remediation
- Upgrade Active! Mail to BuildInfo 6.60.06008562 immediately — contact Qualitia or your hosting provider for the update package.
- For organizations unable to upgrade immediately: take the Active! Mail service offline or restrict access to trusted IP ranges until the patch can be applied — given the pre-authentication nature of the exploit, internet exposure is not safe without the patch.
- Notify affected users: given the scale of potential account exposure, consider notifying all users to change passwords and enable any available two-factor authentication.
- Review server logs for unusual HTTP requests — look for oversized requests or requests with anomalous field lengths to the login/session handling endpoints, particularly before April 18, 2025.
- Check for unauthorized access to user mailboxes: audit mail server logs for logins from unexpected IP addresses, forwarding rules added to user accounts, or email exfiltration patterns.
- Engage JPCERT/CC if you observe exploitation indicators — Japan's coordinated response infrastructure is active on this CVE.
Key Details
| Property | Value |
|---|---|
| CVE ID | CVE-2025-42599 |
| Vendor / Product | Qualitia — Active! Mail |
| NVD Published | 2025-04-18 |
| NVD Last Modified | 2025-10-24 |
| CVSS 3.1 Score | 9.8 |
| CVSS 3.1 Vector | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
| Severity | CRITICAL |
| CWE | CWE-121 find similar ↗ |
| CISA KEV Added | 2025-04-28 |
| CISA KEV Deadline | 2025-05-19 |
| Known Ransomware Use | No |
CVSS 3.1 Breakdown
Required Action
Timeline
| Date | Event |
|---|---|
| 2025-04-15 | IIJ (Internet Initiative Japan) first detects active exploitation — zero-day; Kagoya Japan and WADAX report external attacks |
| 2025-04-18 | Qualitia publishes advisory and fixed version (BuildInfo 6.60.06008562); JPCERT/CC publishes JVN#22348866 |
| 2025-04-28 | CISA adds to Known Exploited Vulnerabilities catalog |
| 2025-05-19 | CISA BOD 22-01 remediation deadline |
References
| Resource | Type |
|---|---|
| Qualitia Security Advisory (Japanese) | Vendor Advisory |
| JVN#22348866 — Active! Mail Stack Buffer Overflow (JPCERT/CC) | Vendor Advisory |
| NVD — CVE-2025-42599 | Vulnerability Database |
| CISA KEV Catalog Entry | US Government |
| BleepingComputer — Active! Mail RCE Exploited in Attacks on Japanese Organizations | News |
| SecurityOnline — CVE-2025-42599 Critical Buffer Overflow in Active! Mail | News |