cbcvebase.
CVE-2005-2278
published 2005-07-18

CVE-2005-2278: Stack-based buffer overflow in the IMAP daemon (imapd) in MailEnable Professional 1.54 allows remote authenticated users to execute arbitrary code via the…

PriorityP355high7.2CVSS 2.0
AVLACLAuNCCICAC
EXPLOIT
EPSS
84.64%
99.7th percentile
Stack-based buffer overflow in the IMAP daemon (imapd) in MailEnable Professional 1.54 allows remote authenticated users to execute arbitrary code via the status command with a long mailbox name.

Affected

1 ranges
VendorProductVersion rangeFixed in
mailenablemailenable_professional

Detection & IOCsextracted from sources · hover to see the quote

commanda001 STATUS ".\x00<buf><seh>" (UIDNEXT UIDVALIDITY MESSAGES UNSEEN RECENT)\r\n
port143
other0x1001c019
filenameMEAISP.DLL
  • Detect oversized IMAP STATUS command mailbox names — the exploit sends a STATUS request with a mailbox argument padded to 9273 bytes followed by a SEH overwrite payload.
  • Look for a null byte (\x00) embedded inside the IMAP STATUS mailbox name argument, which is a key exploit artefact used to trigger the overflow.
  • The exploit requires prior IMAP authentication; alert on authenticated IMAP sessions that subsequently issue an abnormally large STATUS command (>9000 bytes in the mailbox field).
  • Bad characters excluded from payload are \x00, \x0a, \x0d, \x20 — any IMAP STATUS mailbox argument containing high-entropy alphanumeric data of ~9273 bytes without spaces/newlines is highly suspicious.
  • Monitor for SEH-based shellcode execution originating from MEAISP.DLL at the known return address 0x1001c019 on MailEnable 1.54 Pro installations.
  • ·Exploit requires valid IMAP credentials before the STATUS overflow can be triggered; unauthenticated detection alone is insufficient.
  • ·Return addresses in the Metasploit module are OS-specific; the universal target uses MEAISP.DLL (0x1001c019) while XP SP0/SP1, Win2000, and Win2003 each have distinct hardcoded RET values — tune detection/blocking per target OS.
  • ·Payload space is constrained to 450 bytes with a stack adjustment of -3500; staged or large payloads will not fit without modification.
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.