Vulnerability Summary
MDaemon Mail Server 23.5.2 validates SPF, DKIM, and DMARC using the email enclosed in angle brackets (<>) in the From: header of SMTP DATA. An attacker can craft a From: header with multiple invisible Unicode thin spaces to display a spoofed sender while passing validation, allowing email spoofing even when anti-spoofing protections are in place. NOTE: this is disputed by the Supplier because UI spoofing occurs in a client, not in a server such as MDaemon's product or any other server implementation. Also, if a client without its own spoofing protection must be used, the Header Screening feature in MDaemon's product can be employed to mitigate the client-side vulnerability.
Technical Analysis
- CVE ID: CVE-2025-61084
- Published: 2025-11-05T15:15:39.997
- Status: Active
How to Fix & Protect
The primary mitigation is to update the affected software immediately. Check the vendor's official security advisory for the latest patch.
Mitigation: If a patch is not available, restrict network access to the vulnerable component or disable the service.