CVE-2025-34490

GFI MailEssentials < 21.8 XXE Arbitrary File Read

CVSS 6.5 MEDIUMEPSS 0.6%CWE-611

In short

GFI MailEssentials before version 21.8 has a flaw that lets authenticated attackers read any file on the server by sending specially crafted XML requests. This is dangerous because sensitive files like passwords or configuration data could be exposed.

Technical detail

The application fails to properly validate XML input, allowing XXE injection attacks. An authenticated remote attacker can leverage this vulnerability by submitting malicious XML payloads to access arbitrary files on the underlying system, potentially disclosing sensitive configuration, credentials, or other confidential data.

Summary generated and translated by AI from the official description.

GFI MailEssentials prior to version 21.8 is vulnerable to an XML External Entity (XXE) issue. An authenticated and remote attacker can send crafted HTTP requests to read arbitrary system files.

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

Affected products

GFI · MailEssentials

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →

References

https://frycos.github.io/vulns4free/2025/04/28/mailessentials.html https://gfi.ai/products-and-solutions/network-security-solutions/mailessentials/resources/documentation/product-releases https://www.vulncheck.com/advisories/gfi-mailessentials-xxe-arbitrary-file-read