XML External Entity Vulnerability in GFI MailEssentials
CVE-2025-34490

6.5MEDIUM

Key Information:

Vendor

Gfi

Status
Mailessentials
Vendor
CVE Published:
28 April 2025

Badges

👾 Exploit Exists

What is CVE-2025-34490?

GFI MailEssentials versions earlier than 21.8 are susceptible to an XML External Entity (XXE) vulnerability that allows authenticated remote attackers to craft specific HTTP requests. This exploit can enable them to read arbitrary system files, potentially exposing sensitive information. It is crucial for users to update to the latest version to mitigate these security risks.

Affected Version(s)

MailEssentials 0 < 21.8

References

https://frycos.github.io/vulns4free/2025/04/28/mailessent...
exploittechnical-description
https://gfi.ai/products-and-solutions/network-security-so...
vendor-advisory

CVSS V3.1

Score:
6.5
Severity:
MEDIUM
Confidentiality:
High
Integrity:
None
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
Low
User Interaction:
None
Scope:
Unchanged

Timeline

  • 🟡

    Public PoC available

  • 👾

    Exploit known to exist

  • Vulnerability published

  • Vulnerability Reserved

Credit

Frycos
.