A critical zero-day vulnerability in Active! Mail, a widely used Japanese webmail client, is being actively exploited in targeted attacks across major sectors in Japan. The flaw, now tracked as CVE-2025-42599, allows remote code execution (RCE) and poses a high risk to over 11 million user accounts.
CVE-2025-42599: Critical Buffer Overflow Bug Confirmed Under Exploitation
On April 19, software vendor Qualitia released a bulletin detailing a stack-based buffer overflow issue impacting all Active! Mail versions up to and including BuildInfo: 6.60.05008561. The bug, rated 9.8 on the CVSS v3 scale, allows an attacker to send specially crafted requests to execute arbitrary code or cause a denial-of-service (DoS).
Although Qualitia initially noted it was investigating signs of exploitation, Japan’s CERT later confirmed that the flaw is actively being used in real-world attacks.
Active! Mail Is Widely Deployed in Japan’s Enterprise and Public Sectors
Active! Mail, originally developed by TransWARE and now owned by Qualitia, is not globally mainstream but remains a key component in Japan’s corporate, university, government, and banking sectors.
- Used in 2,250+ organizations
- Powers over 11 million active mail accounts
This makes the vulnerability especially dangerous within Japanese enterprise infrastructure.
Attacks Prompt Service Outages at Multiple Hosting Providers
Two major Japanese IT service providers, Kagoya Japan and WADAX, both reported external attacks over the weekend. In response, each temporarily suspended Active! Mail services to protect their customer environments.
Kagoya stated:
“We suspect that this issue is related to a vulnerability disclosed by QUALITIA.”
WADAX added:
“At this stage, we cannot yet guarantee the safe use of the service… we have temporarily suspended the Active! mail service as a precaution.”
Widespread Exposure Includes Critical Infrastructure and Universities
Macnica security researcher Yutaka Sejiyama found at least 227 internet-exposed Active! Mail servers, with 63 belonging to universities, increasing the risk of further exploitation.
Japan’s CERT issued mitigation guidance for organizations unable to patch immediately. This includes:
- Enabling HTTP request body inspection via WAF
- Blocking multipart/form-data headers if they exceed a certain size
IIJ Confirms Customer Data Compromised via CVE-2025-42599 Exploitation
On April 23, Japanese internet provider IIJ confirmed it had also been targeted. The attack, first detected on April 15, resulted in unauthorized access to customer information. The incident further confirms the flaw was exploited as a zero-day, prior to public disclosure.
Patch and Mitigation Guidance
Qualitia has released a fixed version:
Active! Mail 6 BuildInfo: 6.60.06008562
All organizations using Active! Mail are strongly advised to update immediately. Where immediate patching is not feasible, CERT recommends enforcing strict WAF configurations to reduce risk of exploitation.
