CVE-2026-23612
📋 TL;DR
This stored cross-site scripting vulnerability in GFI MailEssentials AI allows authenticated users to inject malicious scripts into the IP DNS Blocklist configuration page. The scripts are stored and executed when administrators view the management interface, potentially compromising their sessions. Only organizations using affected versions of GFI MailEssentials AI are impacted.
💻 Affected Systems
- GFI MailEssentials AI
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
An attacker with authenticated access could steal administrator session cookies, perform actions as administrators, or redirect them to malicious sites, potentially leading to full system compromise.
Likely Case
Authenticated malicious users could perform limited privilege escalation, session hijacking, or deface the management interface.
If Mitigated
With proper access controls and input validation, the impact is limited to authenticated users only, reducing overall risk.
🎯 Exploit Status
Exploitation requires authenticated access to the vulnerable configuration page.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 22.4 or later
Vendor Advisory: https://gfi.ai/products-and-solutions/network-security-solutions/mailessentials/resources/documentation/product-releases
Restart Required: Yes
Instructions:
1. Download GFI MailEssentials AI version 22.4 or later from the vendor portal. 2. Run the installer with administrative privileges. 3. Follow the upgrade wizard. 4. Restart the MailEssentials service after installation completes.
🔧 Temporary Workarounds
Input Validation Enhancement
windowsImplement additional input validation on the server-side for the TXB_IPs parameter
Access Restriction
allRestrict access to the /MailEssentials/pages/MailSecurity/ipdnsblocklist.aspx page to only trusted administrators
🧯 If You Can't Patch
- Implement strict input validation and output encoding for all user-supplied data in the management interface
- Monitor and audit all authenticated user activities on the MailEssentials management interface
🔍 How to Verify
Check if Vulnerable:
Check if the application version is below 22.4 and test for XSS payload injection in the IP DNS Blocklist configuration pageCheck Version:
Check the version in the MailEssentials management interface under Help > AboutVerify Fix Applied:
Verify the application version is 22.4 or higher and test that XSS payloads are properly sanitized in the IP DNS Blocklist page📡 Detection & Monitoring
Log Indicators:
- Unusual POST requests to /MailEssentials/pages/MailSecurity/ipdnsblocklist.aspx with script tags in parameters
- Multiple failed login attempts followed by successful authentication and configuration changes
Network Indicators:
- HTTP requests containing script tags or JavaScript in the TXB_IPs parameter
SIEM Query:
source="mailessentials" AND (uri="/MailEssentials/pages/MailSecurity/ipdnsblocklist.aspx" AND (param="TXB_IPs" AND value CONTAINS "<script>" OR value CONTAINS "javascript:"))