Login Sign Up

CVE-2025-65318

9.1 CRITICAL

📋 TL;DR

Canary Mail versions 5.1.40 and below fail to apply Mark-of-the-Web (MOTW) tags to downloaded attachments, allowing attackers to bypass Windows and third-party security protections. This vulnerability enables malicious files to execute without standard security warnings. All users of affected Canary Mail versions on Windows are at risk.

💻 Affected Systems

Products:
  • Canary Mail
Versions: 5.1.40 and below
Operating Systems: Windows
Default Config Vulnerable: ⚠️ Yes
Notes: Only affects Windows due to MOTW functionality; macOS and other OS are not vulnerable.

📦 What is this software?

Canary Mail by Canarymail

View all CVEs affecting Canary Mail →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers deliver malicious attachments that execute without security warnings, leading to full system compromise, data theft, or ransomware deployment.

🟠

Likely Case

Phishing campaigns using weaponized attachments bypass security warnings, leading to malware infections and credential theft.

🟢

If Mitigated

With proper email filtering and endpoint protection, malicious attachments are blocked before reaching users.

🌐 Internet-Facing: HIGH - Email clients are internet-facing by nature, making them prime targets for phishing attacks.
🏢 Internal Only: MEDIUM - Internal email systems could be compromised, but external attacks are more likely.

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ✅ No
Complexity: LOW

Exploitation requires user interaction (opening malicious attachment). Public proof-of-concept code exists in GitHub repositories.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 5.1.41 or later

Vendor Advisory: http://canarymail.com

Restart Required: No

Instructions:

1. Open Canary Mail. 2. Go to Settings > About. 3. Check for updates. 4. Install version 5.1.41 or later. 5. Restart Canary Mail if prompted.

🔧 Temporary Workarounds

Disable automatic attachment saving

windows

Configure Canary Mail to not automatically save attachments to disk

Enable Windows Defender Application Guard

windows

Use Windows Defender Application Guard for Office to isolate email attachments

🧯 If You Can't Patch

  • Block Canary Mail at network perimeter until patched
  • Implement strict email filtering to block suspicious attachments

🔍 How to Verify

Check if Vulnerable:

Check Canary Mail version in Settings > About. If version is 5.1.40 or below, you are vulnerable.

Check Version:

Not applicable - check through GUI in Settings > About

Verify Fix Applied:

After updating, download a test attachment and verify it has MOTW tag (right-click > Properties > Security).

📡 Detection & Monitoring

Log Indicators:

  • Unusual attachment downloads from Canary Mail
  • Security warning bypass events

Network Indicators:

  • Suspicious email attachments with executable content

SIEM Query:

source="canarymail" AND event="attachment_download" AND file_type IN ("exe", "ps1", "bat", "vbs")

📊 Metadata

CVE ID: CVE-2025-65318
CVSS v3 Score: 9.1 (CRITICAL)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
CWE: CWE-693
EPSS Score: 0.1% exploit probability (28.5th percentile)
Published: December 16, 2025
Last Updated: December 31, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-65318, you might also want to check these:

CVE-2023-31273 10.0

This vulnerability in Intel Data Center Manager (DCM) software allows unauthenticated attackers to b...

Same vulnerability type (CWE-693)
CVE-2021-32835 9.9

CVE-2021-32835 is a sandbox escape vulnerability in Eclipse Keti that allows authenticated attackers...

Same vulnerability type (CWE-693)
CVE-2025-68668 9.9

This CVE describes a sandbox bypass vulnerability in n8n's Python Code Node that allows authenticate...

Same vulnerability type (CWE-693)