An Active! Mail zero-day remote code execution vulnerability is actively exploited in attacks on large organizations in Japan.
Active! mail is a web-based email client developed initially by TransWARE and later acquired by Qualitia, both Japanese companies.
While it’s not widely used worldwide like Gmail or Outlook, Active! is often used as a groupware component in Japanese-language environments of large corporations, universities, government agencies, and banks.
According to the vendor, Active! is used in over 2,250 organizations, boasting over 11,000,000 accounts, making it a significant player in the country’s business webmail market.
Late last week, Qualitia released a security bulletin about a stack-based buffer overflow vulnerability tracked under CVE-2025-42599 (CVSS v3 score: 9.8, “critical”) impacting all versions of Active! up to and including ‘BuildInfo: 6.60.05008561’ on all supported OS platforms.
“If a maliciously crafted request is sent by a remote third party, there is a possibility of arbitrary code execution or a denial-of-service (DoS) condition being triggered,” reads the bulletin.
Although Qualitia mentions investigating whether the flaw has been exploited, Japan’s CERT has confirmed its active exploitation status, urging all users to update to Active! Mail 6 BuildInfo: 6.60.06008562 as soon as possible.
Japanese web hosting and IT services (SMB) provider Kagoya Japan reported several external attacks over the weekend, prompting it to temporarily suspend the service.
“We suspect that this issue is related to a vulnerability disclosed by QUALITIA (the developer),” reads the bulletin Kagoya published earlier.
A similar service outage following believed exploitation attempts was also reported by web hosting and IT services provider WADAX.
“At this stage, we cannot yet guarantee the safe use of the service for our customers,” announced WADAX.
“Therefore, with customer safety as our top priority, we have temporarily suspended the Active! mail service as a precaution.”
Macnica security researcher Yutaka Sejiyama told BleepingComputer that at least 227 internet-exposed Active! servers that are potentially exposed to these attacks, with 63 of them used in universities.
Japan’s CERT has proposed specific mitigation steps for those unable to apply the security update immediately, including configuring the Web Application Firewall (WAF) to enable HTTP request body inspection and block multipart/form-data headers if their size exceeds a certain threshold.
