CVE-2025-1886 Overview
CVE-2025-1886 is a Pass-Back vulnerability affecting Sage 200 Spain versions prior to 2025.35.000. The flaw allows an authenticated attacker with administrator privileges to recover stored Simple Mail Transfer Protocol (SMTP) credentials configured within the application. The issue is categorized under [CWE-522]: Insufficient Credentially Protected Credentials. Successful exploitation exposes mail server account secrets that attackers can reuse for phishing, lateral movement, or business email compromise. The vulnerability was published to the National Vulnerability Database (NVD) on March 7, 2025, and disclosed publicly through the Spanish National Cybersecurity Institute (INCIBE).
Critical Impact
An administrator-level attacker can extract plaintext SMTP credentials from Sage 200 Spain, enabling abuse of the organization's mail infrastructure for outbound phishing and data exfiltration.
Affected Products
- Sage 200 Spain versions prior to 2025.35.000
- SMTP configuration component of Sage 200 Spain
- Deployments using stored mail server credentials within the application
Discovery Timeline
- 2025-03-07 - CVE-2025-1886 published to NVD
- 2026-06-17 - Last updated in NVD database
Technical Details for CVE-2025-1886
Vulnerability Analysis
The vulnerability is a Pass-Back attack against the SMTP configuration interface in Sage 200 Spain. In a Pass-Back attack, an attacker reconfigures the host or port for an outbound service so the application sends its stored credentials to an attacker-controlled endpoint. The application replays the saved SMTP username and password during a test or send operation, exposing them in cleartext to the listener. The flaw is classified under [CWE-522] because the credentials are stored in a manner that permits retrieval by an actor with administrative access to the configuration screen. While administrator privileges are required, the impact is significant because mail accounts are frequently shared across services and tenants.
Root Cause
The root cause is that Sage 200 Spain does not enforce server-side verification of the SMTP destination before reusing the stored credential. The credential is bound to the configuration record rather than to a specific, verified mail server. When the destination host or port is changed, the application transmits the original credential to the new target without prompting the operator to re-enter it.
Attack Vector
An attacker who has obtained administrator credentials authenticates to the Sage 200 Spain console. The attacker edits the SMTP configuration, replacing the legitimate mail host with an attacker-controlled SMTP listener that records AUTH LOGIN or AUTH PLAIN exchanges. The attacker then triggers a test message or any function that initiates an SMTP session. The application connects to the attacker's listener and submits the stored credentials, which are captured in base64 or cleartext form depending on the negotiated authentication mechanism.
No verified public proof-of-concept code is available. See the INCIBE Security Notice for the vendor-coordinated advisory.
Detection Methods for CVE-2025-1886
Indicators of Compromise
- Unexpected modifications to the SMTP host, port, or TLS settings in the Sage 200 Spain administrative console.
- Outbound SMTP connections from the Sage 200 server to hosts outside the organization's approved mail relay list.
- SMTP AUTH exchanges directed to IP addresses or domains not associated with the configured corporate mail provider.
- Administrator logins to Sage 200 Spain followed within minutes by configuration changes and test-send events.
Detection Strategies
- Audit Sage 200 application logs for changes to mail server configuration entries and correlate with the initiating administrator account.
- Monitor egress firewall logs for SMTP traffic (TCP 25, 465, 587) leaving the Sage 200 host to non-approved destinations.
- Alert on administrator session activity outside business hours or from new source addresses.
Monitoring Recommendations
- Forward Sage 200 Spain audit logs and host network telemetry to a centralized logging platform for correlation and retention.
- Build allow-lists of approved SMTP relays at the network perimeter and alert on deviations.
- Rotate any SMTP credential observed to have been used by a Sage 200 instance running a vulnerable version.
How to Mitigate CVE-2025-1886
Immediate Actions Required
- Upgrade Sage 200 Spain to version 2025.35.000 or later, which addresses the Pass-Back behavior.
- Rotate all SMTP account passwords previously stored in vulnerable Sage 200 Spain instances.
- Review administrator account inventory and remove or restrict accounts that do not require configuration privileges.
- Enforce multi-factor authentication on all Sage 200 administrative logins to raise the cost of obtaining the required privilege level.
Patch Information
Sage has released version 2025.35.000 of Sage 200 Spain to remediate this vulnerability. Customers should obtain the update through the standard Sage distribution channel. Refer to the INCIBE Security Notice for vendor-coordinated remediation guidance.
Workarounds
- Restrict outbound SMTP from the Sage 200 server to a fixed list of approved relays using host or perimeter firewall rules.
- Limit administrative access to the Sage 200 console to a small, audited group of operators.
- Use a dedicated, low-privilege SMTP account that is unique to Sage 200 and not reused for any other service or mailbox.
- Enable detailed audit logging on the SMTP configuration page and review changes on a recurring basis.
# Example: restrict outbound SMTP from the Sage 200 host to an approved relay
# (Linux iptables illustration; adapt to your firewall platform)
iptables -A OUTPUT -p tcp -d mail-relay.example.com --dport 587 -j ACCEPT
iptables -A OUTPUT -p tcp --dport 25 -j DROP
iptables -A OUTPUT -p tcp --dport 465 -j DROP
iptables -A OUTPUT -p tcp --dport 587 -j DROP
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

