Critical Buffer Overflow in Active! mail Identified as Cause of IIJ Secure MX Data Breach

While Internet Initiative Japan (IIJ) recently confirmed the extent of a data leak affecting their IIJ Secure MX Service, details have emerged regarding the specific technical weakness that attackers exploited. The incident, which compromised customer data including email accounts and linked cloud service administrator credentials, was traced back to a critical buffer overflow vulnerability present in the Active! mail webmail system integrated into the service.

The IIJ data leak, publicly confirmed with specific numbers on April 22, 2025 (including the exposure of 311,288 email accounts), highlights the severe real-world consequences that can stem from vulnerabilities in software components.

The Identified Flaw: A Buffer Overflow

The vulnerability responsible is a buffer overflow issue found within Active! mail. This specific flaw has been assigned the identifier CVE-2025-42599.

The vendor of Active! mail, Qualitia, had announced this vulnerability and released a corrective patch on April 18, 2025. Notably, they had already made the updated version available on April 16, describing the fixes contained within as “extremely urgent and important,” signaling the severity of the underlying issue even before its public technical disclosure.

Following Qualitia‘s announcement, the JPCERT Coordination Center (JPCERT/CC) also issued a security advisory regarding CVE-2025-42599 on April 18. Their warning stressed that this vulnerability, if unaddressed, could indeed lead to serious consequences for systems running vulnerable versions of Active! mail.

Technical Details and High Severity Rating

This vulnerability is considered exceptionally dangerous, reflected in its high score on the Common Vulnerability Scoring System (CVSS) version 3. CVE-2025-42599 received a score of 9.8 out of a possible 10, placing it in the critical severity category.

Understanding Buffer Overflows

A buffer overflow occurs when a program tries to write data into a temporary storage buffer but exceeds the buffer’s capacity. The excess data spills over into adjacent memory locations, which can overwrite other data or even executable code instructions. In the context of CVE-2025-42599, the vulnerability specifically allowed attackers to manipulate data to overwrite the “stack region” of the program’s memory – an area vital for managing function calls and storing return addresses.

Potential for Remote Code Execution

According to Qualitia, the vulnerability could be exploited remotely. By crafting and sending a specific type of request to a vulnerable Active! mail instance, an attacker could potentially achieve arbitrary code execution. This means they could run their own code on the compromised server. Additionally, exploitation could also lead to a Denial of Service (DoS) state, making the service unavailable.

H3: Expert Commentary on the Risk

Toyotaka Sejiyama, Assistant Director of the Security Research Center at Macnica, commented on the potential ramifications of such a vulnerability. He explained that successfully exploiting a flaw that allows arbitrary code execution with the software’s privileges can grant attackers extensive control. This level of access makes it possible to perform various malicious actions, such as deploying malware, stealing sensitive information, or using the initial compromised server as a “stepping stone” to further infiltrate and compromise other systems within the same network.

The Critical Importance of Patching

The exploitation of CVE-2025-42599 leading to the IIJ data breach underscores the vital importance of prompt vulnerability management and patching. When vendors like Qualitia issue urgent updates and authorities like JPCERT/CC release alerts, it is a clear signal that immediate action is required.

Applying patches quickly is the most effective defense against known vulnerabilities. Attackers actively monitor patch releases to understand the underlying flaws and develop exploits targeting systems that have not yet been updated. The IIJ Secure MX Service incident serves as a compelling case study on the significant impact that can result when even a well-known and patched critical vulnerability is successfully exploited in production systems. It highlights the ongoing challenge for organizations to maintain rigorous patching schedules and stay informed about security advisories affecting all components within their infrastructure.