A now-patched path traversal vulnerability allowed remote attackers to read arbitrary files on the server by manipulating the log file viewer endpoint. Exploits use ../../../../windows/win.ini style payloads.
CVE-2025-52373 represents one of the most significant cryptographic weaknesses discovered in hMailServer. The vulnerability stems from the use of a hardcoded cryptographic key in within hMailServer versions 5.8.6 and 5.6.9-beta. This hardcoded key allows an attacker to decrypt passwords used in database connections from the hMailServer.ini configuration file. hmailserver exploit github
: Restrict access to the hMailServer administration ports to trusted IP addresses only. Conclusion hmailserver exploit github