A critical Server-Side Template Injection (SSTI) vulnerability has been identified in the mailcow: dockerized email suite. This flaw allows a remote attacker to execute arbitrary code on the server by injecting malicious content into a notification template, potentially leading to a complete system compromise, data theft, and disruption of email services.

The vulnerability is a Server-Side Template Injection (SSTI) within the notification template system of mailcow: dockerized. An attacker with privileges to modify these templates can inject template syntax that is improperly sanitized and executed directly on the server. By crafting a malicious payload, an attacker can escape the template sandbox and execute arbitrary commands with the permissions of the web application, leading to Remote Code Execution (RCE).

This vulnerability is rated as critical severity with a CVSS score of 9.1. Successful exploitation would grant an attacker full control over the mail server, posing a severe risk to the organization. Potential consequences include the theft of sensitive communications and credentials, loss of data integrity as the attacker could modify or delete emails, and loss of availability of the email service. The compromised server could also be used as a pivot point to attack other internal network resources or be leveraged for malicious activities such as phishing campaigns, further damaging the organization's reputation.

Immediate Action: Immediately update all instances of mailcow: dockerized to version 2025-07 or a later version, which contains the patch for this vulnerability. After patching, it is crucial to review system and application logs for any signs of compromise that may have occurred prior to the update.

Proactive Monitoring: Security teams should actively monitor application logs for suspicious input in fields related to notification templates, specifically looking for common template syntax such as {{...}}, {%...%}, or ${...}. Monitor for unexpected processes being spawned by the mailcow web server and any unusual outbound network connections from the mailcow containers, as these could indicate a successful compromise.

Compensating Controls: If immediate patching is not feasible, implement the following controls to mitigate risk:

• Restrict administrative access to the mailcow UI to a limited set of trusted IP addresses.
• Utilize a Web Application Firewall (WAF) with rules designed to detect and block SSTI attack patterns.
• If the custom notification feature is not in use, disable it to remove the attack vector.

Public Exploit Available: false

Given the critical CVSS score of 9.1 and the high potential for full system compromise, this vulnerability requires immediate attention. Although not currently listed on the CISA KEV catalog, its severity warrants treating it as an urgent threat. We strongly recommend that organizations prioritize the deployment of the security update for all affected mailcow: dockerized instances without delay. If patching is not immediately possible, the compensating controls outlined above should be implemented as a temporary measure to reduce the attack surface.