CVE-2025-34489Deserialization of Untrusted Data in Mailessentials

CWE-502Deserialization of Untrusted Data3 documents3 sources
Severity
7.8HIGHNVD
EPSS
0.1%
top 67.16%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
1
GFI Mailessentials
Timeline
PublishedApr 28

Description

GFI MailEssentials prior to version 21.8 is vulnerable to a local privilege escalation issue. A local attacker can escalate to NT Authority/SYSTEM by sending a crafted serialized payload to a .NET Remoting Service.

CVSS vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:HExploitability: 1.8 | Impact: 5.9

Affected Packages2 packages

CVEListV5gfi/mailessentials< 21.8
NVDgfi/mailessentials< 21.8

🔴Vulnerability Details

2
GHSA
GHSA-6h6j-8576-v4xg: GFI MailEssentials prior to version 212025-04-28
CVEList
GFI MailEssentials < 21.8 Local Privilege Escalation2025-04-28
CVE-2025-34489 — Deserialization of Untrusted Data | cvebase