What is the CVSS score of CVE-2019-25364?

CVE-2019-25364 has a CVSS 3.1 base score of 9.8 (Critical). CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H. EPSS exploitation probability: 0.3%.

Which versions of Mailcarrier are affected by CVE-2019-25364?

MailCarrier 2.51 is vulnerable to remote code execution through the POP3 service, allowing unauthenticated attackers to gain complete system control.

Is there a public PoC exploit available for CVE-2019-25364?

Yes, a public proof-of-concept exploit is available for CVE-2019-25364. Prioritise patching immediately. EPSS: 0.3%.

How to fix or mitigate CVE-2019-25364?

Within 24 hours: Identify all systems running MailCarrier 2.51 and assess if they handle production email or contain sensitive data; isolate affected systems from untrusted networks if feasible. Within 7 days: Implement network-level protections (restrict POP3 access, deploy IDS signatures for exploit attempts) and contact MailCarrier vendor for patch timeline or upgrade path. Within 30 days: Migrate to a patched MailCarrier version or alternative email solution; conduct forensic analysis for signs of exploitation.

Mailcarrier CVE-2019-25364

CRITICAL

Stack-based Buffer Overflow (CWE-121)

2026-02-18 disclosure@vulncheck.com

Buffer Overflow Mailcarrier

9.8

CVSS 3.1 · NVD

Severity by source

NVD PRIMARY

9.8 CRITICAL

AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

Lifecycle Timeline

Analysis Generated

Mar 12, 2026 - 21:55 vuln.today

PoC Detected

Feb 24, 2026 - 20:41 vuln.today

Public exploit code

CVE Published

Feb 18, 2026 - 22:16 nvd

CRITICAL 9.8

DescriptionCVE.org

MailCarrier 2.51 contains a buffer overflow vulnerability in the POP3 USER command that allows remote attackers to execute arbitrary code. Attackers can send a crafted oversized buffer to the POP3 service, overwriting memory and potentially gaining remote system access.

AnalysisAI

Buffer overflow in MailCarrier 2.51 POP3 server via USER command allows remote attackers to execute arbitrary code. Network-exploitable without authentication. PoC available.

Technical ContextAI

CWE-121 stack overflow in POP3 service. The USER command handler doesn't validate input length, enabling remote code execution.

RemediationAI

Update MailCarrier or migrate to a modern mail server.

CVE-2019-25364 vulnerability details – vuln.today

Back

Mailcarrier CVE-2019-25364

Severity by source

CVSS VectorNVD

Lifecycle Timeline

DescriptionCVE.org

AnalysisAI

Technical ContextAI

RemediationAI

Share

External POC / Exploit Code