Security Announcement on CVE-2025-56425

We will update this announcement with new details as they emerge from our analysis. Please check back periodically.

Last update: 28.01. 2026, 16:00 PM CET

CVE-2025-56425 is a critical vulnerability in enaio® appconnector.

The vulnerability allows authenticated remote attackers to inject arbitrary SMTP commands via crafted input to the /osrest/api/organization/sendmail endpoint.

The following versions of enaio® appconnector are affected:

10.10.0.183 and earlier of enaio® version 10.10
11.0.0.183 and earlier of enaio® version 11.0
11.10.0.183 and earlier of enaio® version 11.10

The following hotfixes from 09.01.2026 fix this vulnerability:

10.10.0.191
11.0.0.191
11.10.0.191

You can find the hotfixes in our Serviceportal via 'Software > Version > Release Info'.

Navigation

Navigate through the help pages using the table of contents on the left. If it is not displayed when the window width is small, you can temporarily show it via the hamburger menu on the right.

Use the arrows on the toolbar to navigate to the next/previous page.

You can show hidden areas. Use the toolbar to show all hidden areas at once:

Clicking the product icon in the header returns you to the beginning of the current area. Use the toolbar to access the initial page: