CVE-2025-34427
📋 TL;DR
MailEnable versions before 10.54 store user and administrative passwords in plaintext within the AUTH.TAB file with overly permissive filesystem permissions. This allows any local authenticated user with read access to recover all passwords and use them to access mail services or gain administrative control. Organizations running vulnerable MailEnable versions are affected.
💻 Affected Systems
- MailEnable
📦 What is this software?
Mailenable by Mailenable
⚠️ Risk & Real-World Impact
Worst Case
Complete compromise of all mail accounts, administrative takeover of the MailEnable server, and potential lateral movement to other systems using reused credentials.
Likely Case
Unauthorized access to user mailboxes, email exfiltration, and potential privilege escalation to administrative functions.
If Mitigated
Limited to credential exposure without successful authentication if network controls prevent unauthorized access to mail services.
🎯 Exploit Status
Exploitation requires local authenticated access to read the AUTH.TAB file; trivial to extract credentials once file access is obtained.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 10.54
Vendor Advisory: https://mailenable.com/Standard-ReleaseNotes.txt
Restart Required: Yes
Instructions:
1. Download MailEnable version 10.54 or later from the official website. 2. Run the installer to upgrade. 3. Restart MailEnable services. 4. Verify the AUTH.TAB file no longer contains plaintext passwords.
🔧 Temporary Workarounds
Restrict filesystem permissions on AUTH.TAB
windowsSet strict NTFS permissions on the AUTH.TAB file to prevent unauthorized read access.
icacls "C:\Program Files\Mail Enable\Config\AUTH.TAB" /inheritance:r /grant "SYSTEM:(F)" /grant "Administrators:(F)" /deny "Users:(R)"
🧯 If You Can't Patch
- Implement strict access controls to limit who can log into the MailEnable server locally.
- Monitor for unusual authentication attempts to mail services and implement network segmentation.
🔍 How to Verify
Check if Vulnerable:
Check if MailEnable version is below 10.54 and examine the AUTH.TAB file for plaintext password entries.Check Version:
Check the version in MailEnable Management Console or examine the installation directory for version information.Verify Fix Applied:
After upgrading to 10.54+, verify that passwords in AUTH.TAB are encrypted/hashed and not stored in plaintext.📡 Detection & Monitoring
Log Indicators:
- Multiple failed authentication attempts followed by successful logins from unusual IPs
- Administrative login events from non-admin users
Network Indicators:
- Unusual POP3/SMTP/webmail traffic patterns
- Authentication attempts using credentials from compromised accounts
SIEM Query:
source="mailenable.log" AND (event="authentication success" OR event="admin login") | stats count by user, src_ip