CVE-2025-34491

GFI MailEssentials < 21.8 MultiNode Insecure Deserialization

CVSS 8.8 HIGHEPSS 0.7%CWE-502

In short

GFI MailEssentials before version 21.8 has a flaw that allows authenticated users to run malicious code by sending specially crafted data during multi-server setup. This happens because the software unsafely processes serialized .NET objects without proper validation.

Technical detail

The vulnerability stems from insecure deserialization of .NET objects (CWE-502) in the MultiNode join mechanism. An authenticated remote attacker can exploit this by crafting malicious serialized payloads that execute arbitrary code upon deserialization, bypassing security controls during multi-server cluster configuration.

Summary generated and translated by AI from the official description.

GFI MailEssentials prior to version 21.8 is vulnerable to a .NET deserialization issue. A remote and authenticated attacker can execute arbitrary code by sending crafted serialized .NET when joining to a Multi-Server setup.

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Affected products

GFI · MailEssentials

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →

References

https://frycos.github.io/vulns4free/2025/04/28/mailessentials.html https://gfi.ai/products-and-solutions/network-security-solutions/mailessentials/resources/documentation/product-releases https://www.vulncheck.com/advisories/gfi-mailessentials-multinode-insecure-deserialization