Unauthenticated SMTP RCE Flaws Expose Tabs Mail Carrier and Zimbra
Two high-severity vulnerabilities were disclosed in mail server software that allow unauthenticated remote code execution through crafted SMTP input. CVE-2019-25646 affects Tabs Mail Carrier 2.5.1, where an oversized MAIL FROM parameter triggers a buffer overflow on the SMTP service listening on port 25. The flaw can overwrite the EIP register and enable execution of attacker-controlled payloads, including a bind shell, giving remote attackers a direct path to code execution.
A second flaw, CVE-2025-71275, affects Zimbra Collaboration Suite 8.8.15 in the PostJournal service. In that case, improper sanitization of the SMTP RCPT TO parameter allows command injection via shell expansion syntax, leading to arbitrary command execution under the Zimbra service account. Both issues were classified with high impact across confidentiality, integrity, and availability, underscoring the risk posed by exposed SMTP services that process untrusted sender and recipient fields without adequate bounds checking or input sanitization.
Timeline
Mar 24, 2026
CVE-2019-25646 recorded for Tabs Mail Carrier MAIL FROM buffer overflow
A CVE entry was recorded for a buffer overflow in Tabs Mail Carrier 2.5.1 triggered by an oversized SMTP MAIL FROM parameter, allowing remote unauthenticated attackers to overwrite EIP and execute arbitrary code. The vulnerability was classified as CWE-787 and marked high severity based on its impact to confidentiality, integrity, and availability.
Mar 24, 2026
CVE-2025-71275 recorded for Zimbra PostJournal SMTP injection RCE
A CVE entry was received for a command injection vulnerability in Zimbra Collaboration Suite 8.8.15 PostJournal that allows unauthenticated remote code execution via improper sanitization of the SMTP RCPT TO parameter. The entry classified the flaw as CWE-78 and assigned high-severity CVSS scores, with references including VulnCheck, Packet Storm, and Zimbra.
See the full picture in Mallory
Mallory subscribers get deeper analysis on every story, including:
Who’s affected and how
Deep-dive technical analysis
Actionable next steps for your team
IPs, domains, hashes, and more
Ask questions and take action on every story
Filter by topic, classification, timeframe
Get matching stories delivered automatically
Related Entities
Vulnerabilities
Affected Products
Sources
Related Stories
Critical Unauthenticated RCE Flaws Disclosed in Openfind MailGates and Sagredo qmail
Openfind **MailGates/MailAudit** and **Sagredo qmail** were disclosed with critical remote code execution vulnerabilities that could let attackers compromise exposed mail infrastructure. **CVE-2026-6350** affects Openfind MailGates/MailAudit and is a stack-based buffer overflow (`CWE-121`) that allows an unauthenticated remote attacker to control execution flow and run arbitrary code. The flaw carries a **CVSS v3.1** score reflecting network exploitation with no privileges or user interaction and high impact across confidentiality, integrity, and availability, and was referenced in advisories published by **TWCERT/CC**. A second flaw, **CVE-2026-41113**, affects **Sagredo qmail** versions before `2026.04.07` and enables remote code execution through `tls_quit` because `qmail-remote.c` uses `popen` in the `notlshosts_auto` component, a command injection issue tracked as `CWE-78`. The vulnerability was documented with references to public research, a GitHub publications repository, the fixing commit, pull request `#42`, and the patched `v2026.04.07` release, giving defenders a clear remediation path while underscoring the risk to internet-facing email systems.
2 weeks ago
Actively Exploited Zimbra XSS Leaves Over 10,000 Servers Exposed
More than 10,000 internet-exposed **Zimbra Collaboration Suite** servers remain vulnerable to `CVE-2025-48700`, an actively exploited cross-site scripting flaw that affects ZCS versions `8.8.15`, `9.0`, `10.0`, and `10.1`. The bug lets unauthenticated attackers execute arbitrary JavaScript in a victim’s session and steal sensitive data when a user opens a malicious email in the **Zimbra Classic UI**. Synacor released patches in June 2025, but Shadowserver still reported roughly **10,500** exposed unpatched systems, with the largest concentrations in Asia and Europe. **CISA** has added `CVE-2025-48700` to its **Known Exploited Vulnerabilities** catalog and ordered Federal Civilian Executive Branch agencies to secure affected servers within days because the flaw is being abused in the wild. The warning follows a broader pattern of Zimbra vulnerabilities being used in espionage-focused campaigns, with reporting linking earlier exploitation of similar flaws to Russian-aligned groups including **APT28**, **APT29**, and **Winter Vivern** against Ukrainian entities, NATO-aligned organizations, and other targets.
5 days ago
Critical Remote Code Execution Vulnerability in SmarterMail
A critical remote code execution (RCE) vulnerability, tracked as CVE-2025-52691, has been identified in SmarterMail, affecting Build 9406 and earlier. This flaw allows unauthenticated attackers to upload arbitrary files to any location on the mail server, enabling them to execute remote code and potentially gain full control over compromised systems. The vulnerability has been assigned a CVSS score of 10.0, indicating maximum severity, and poses a significant risk of unauthorized access, data exfiltration, malware deployment, and lateral movement within affected networks. SmarterTools has released Build 9413 to address this issue, and immediate patching is strongly advised to mitigate the threat. The vulnerability was discovered by Chua Meng Han from the Centre for Strategic Infocomm Technologies (CSIT), with responsible disclosure coordinated by the Cyber Security Agency (CSA) of Singapore. Security advisories from both SmarterTools and the Canadian Centre for Cyber Security urge all users and administrators to verify their SmarterMail version and apply the update to Build 9413 or later without delay. Failure to patch leaves organizations exposed to active exploitation and potential compromise of sensitive email communications and infrastructure.
1 months ago