CVE-2026-2234

9.1 CRITICAL

Published 2026-02-09 · Modified 2026-02-09 · Awaiting Analysis

Quick Summary

A critical vulnerability in HGiga's C&Cm@il software allows anyone on the internet to access and change any user's emails without needing a password. This flaw completely bypasses the system's login security.

Who is affected

All organizations using the vulnerable HGiga C&Cm@il software are affected. An attacker could read sensitive information, send fraudulent emails, or delete mail data.

Recommended fix

Immediately apply the security patch provided by HGiga. Until patched, restrict network access to the C&Cm@il server to only trusted internal networks if possible.

Technical Description

C&Cm@il developed by HGiga has a Missing Authentication vulnerability, allowing unauthenticated remote attackers to read and modify any user's mail content.

CVSS Details

Attack Vector

NETWORK

Complexity

LOW

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

CWE

CWE-306

References

https://www.twcert.org.tw/en/cp-139-10704-d5aba-2.html
https://www.twcert.org.tw/tw/cp-132-10703-3d02f-1.html