CVE-2026-23620
📋 TL;DR
GFI MailEssentials AI versions before 22.4 contain an authenticated file enumeration vulnerability. An authenticated attacker can check whether arbitrary files exist on the server by manipulating the 'path' parameter in the ListServer.IsDBExist() web method. This affects organizations using vulnerable versions of GFI MailEssentials AI.
💻 Affected Systems
- GFI MailEssentials AI
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Attackers could map the server filesystem, identify sensitive files (config files, credentials, databases), and use this information for further attacks like data theft or privilege escalation.
Likely Case
Information disclosure about server filesystem structure, potentially revealing configuration files, backup locations, or other sensitive file paths that could aid in targeted attacks.
If Mitigated
Limited information disclosure with no direct data exposure, though file existence knowledge could still assist attackers in reconnaissance.
🎯 Exploit Status
Exploitation requires authenticated access and involves sending crafted HTTP POST requests with manipulated JSON parameters to the vulnerable endpoint.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 22.4
Vendor Advisory: https://gfi.ai/products-and-solutions/network-security-solutions/mailessentials/resources/documentation/product-releases
Restart Required: Yes
Instructions:
1. Download GFI MailEssentials AI version 22.4 or later from the vendor portal. 2. Run the installer to upgrade. 3. Restart the GFI MailEssentials service. 4. Verify the version is 22.4 or higher.
🔧 Temporary Workarounds
Restrict Access to Vulnerable Endpoint
windowsUse web application firewall or IIS URL rewrite rules to block access to /MailEssentials/pages/MailSecurity/ListServer.aspx
IIS URL Rewrite Rule: <rule name="Block ListServer" stopProcessing="true"><match url="^MailEssentials/pages/MailSecurity/ListServer.aspx" /><action type="AbortRequest" /></rule>
Implement Strong Authentication Controls
allEnforce multi-factor authentication and strong password policies for all MailEssentials AI administrative accounts.
🧯 If You Can't Patch
- Implement network segmentation to restrict access to the MailEssentials AI web interface to only trusted administrative networks.
- Enable detailed logging for the ListServer.aspx endpoint and monitor for unusual file path requests in the path parameter.
🔍 How to Verify
Check if Vulnerable:
Check the GFI MailEssentials AI version in the administrative interface. If version is below 22.4, the system is vulnerable.Check Version:
Check Help > About in GFI MailEssentials AI web interface or examine installed programs in Windows Control Panel.Verify Fix Applied:
After patching, verify the version shows 22.4 or higher in the administrative interface and test that the IsDBExist endpoint properly validates file paths.📡 Detection & Monitoring
Log Indicators:
- HTTP POST requests to /MailEssentials/pages/MailSecurity/ListServer.aspx/IsDBExist with unusual file paths in the JSON payload
- Multiple failed file existence checks to sensitive system paths
Network Indicators:
- Unusual patterns of POST requests to the vulnerable endpoint from single authenticated users
- Requests containing file paths outside expected application directories
SIEM Query:
source="IIS" AND cs_uri_stem="/MailEssentials/pages/MailSecurity/ListServer.aspx/IsDBExist" AND cs_method="POST" AND cs_uri_query CONTAINS "path"