CVE-2025-34491

GFI MailEssentials prior to version 21.8 is vulnerable to a .NET deserialization issue. A remote and authenticated attacker can execute arbitrary code by sending crafted serialized .NET when joining to a Multi-Server setup.

CVSS v3 8.8 HIGH

8.8^/10

CVSS v3 : HIGH

V3 Legend

Vector :

Exploitability : 2.8 / Impact : 5.9

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

References

Link	Resource
https://frycos.github.io/vulns4free/2025/04/28/mailessentials.html
https://gfi.ai/products-and-solutions/network-security-solutions/mailessentials/resources/documentation/product-releases

Configurations

No configuration.

History

29 Apr 2025, 13:52

Type	Values Removed	Values Added
Summary		(es) Las versiones anteriores a la 21.8 de GFI MailEssentials son vulnerables a un problema de deserialización de .NET. Un atacante remoto y autenticado puede ejecutar código arbitrario enviando un archivo .NET serializado y manipulado al unirse a una configuración multiservidor.

28 Apr 2025, 20:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2025-04-28 20:15

Updated : 2025-04-29 13:52

NVD link : CVE-2025-34491

Mitre link : CVE-2025-34491

CVE.ORG link : CVE-2025-34491

JSON object : View

Products Affected

No product.

CWE

CWE-502

Deserialization of Untrusted Data

8.8 /10