cbcvebase.
CVE-2007-3925
published 2007-07-21

CVE-2007-3925: Multiple buffer overflows in the IMAP service (imapd32.exe) in Ipswitch IMail Server 2006 before 2006.21 allow remote authenticated users to execute arbitrary…

PriorityP359medium6.5CVSS 2.0
AVNACLAuSCPIPAP
EXPLOIT
EPSS
84.67%
99.7th percentile
Multiple buffer overflows in the IMAP service (imapd32.exe) in Ipswitch IMail Server 2006 before 2006.21 allow remote authenticated users to execute arbitrary code via the (1) Search or (2) Search Charset command.

Affected

2 ranges
VendorProductVersion rangeFixed in
ipswitchimail_server<= 2006.2
ipswitchipswitch_collaboration_suite<= 2006.2

Detection & IOCsextracted from sources · hover to see the quote

filenameimapd32.exe
filenameimap4d32.exe
commandSEARCH ON <oversized string>
commanda002 SEARCH BEFORE <oversized string>
port143
bytes
\x29\xc9\x83\xe9\xb0\xe8\xff\xff\xff\xff\xc0\x5e\x81\x76\x0e\xb6\x78\xf8\x75
  • Detect oversized IMAP SEARCH command arguments on port 143; legitimate SEARCH arguments are short, while exploit payloads are hundreds of bytes long.
  • The exploit requires at least one message in the mailbox to succeed; correlate failed SEARCH attempts with mailbox state.
  • Monitor for bind-shell connections on port 1154 following IMAP SEARCH anomalies, as the public PoC shellcode binds a shell on that port.
  • Known bad characters in exploit payload are 0x00, 0x0a, 0x0d, 0x20, 0x0b, 0x09, 0x0c; payloads will avoid these bytes, which can aid in distinguishing encoded shellcode from normal traffic.
  • The Metasploit module prepends a stack-adjustment stub (\x81\xc4\xff\xef\xff\xff\x44) before the encoder; presence of this byte sequence in IMAP traffic is a strong indicator of exploitation.
  • ·Exploitation requires the targeted IMAP account to have at least one message in the mailbox; unauthenticated or empty-mailbox attempts will not trigger the overflow.
  • ·Exploitation requires valid IMAP credentials (remote authenticated users only); unauthenticated access cannot trigger the vulnerability.
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.