Skip to main content

Canary Mail CVE-2025-65318

CRITICAL
Protection Mechanism Failure (CWE-693)
2025-12-16 cve@mitre.org
9.1
CVSS 3.1 · Vendor: mitre
Share

Severity by source

Vendor (mitre) PRIMARY
9.1 CRITICAL
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
vuln.today AI
8.1 HIGH

Remote attacker delivers an attachment (AV:N/PR:N) but the victim must save and open it, so UI:R rather than UI:N; C/I:H reflect the code-execution the bypass enables, A:N.

3.1 AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N
4.0 AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N

Primary rating from Vendor (mitre).

CVSS VectorVendor: mitre

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
None

Lifecycle Timeline

2
Analysis Generated
Jul 05, 2026 - 03:26 vuln.today
CVE Published
Dec 16, 2025 - 16:15 cve.org
CRITICAL 9.1

DescriptionCVE.org

When using the attachment interaction functionality, Canary Mail 5.1.40 and below saves documents to a file system without a Mark-of-the-Web tag, which allows attackers to bypass the built-in file protection mechanisms of both Windows OS and third-party software.

AnalysisAI

Protection-mechanism bypass in Canary Mail 5.1.40 and earlier on Windows lets attacker-supplied email attachments be written to disk without the Mark-of-the-Web (MOTW) NTFS tag, so files that reach a victim through the mail client are treated as trusted local content rather than internet-originated. This defeats SmartScreen, Office Protected View, and other MOTW-aware defenses in Windows and third-party software, materially easing malware delivery. Publicly available exploit code exists; the issue is not listed in CISA KEV and EPSS is low (0.48%, 38th percentile), indicating no evidence of widespread active exploitation.

Technical ContextAI

The flaw sits in Canary Mail's attachment-interaction/save routine on Windows. When an application downloads or writes a file that originates from the internet, it is expected to set the Zone.Identifier Alternate Data Stream (the Mark-of-the-Web) so downstream security controls-Microsoft Defender SmartScreen, Office Protected View, macro-blocking, and various EDR/AV heuristics-know the file is untrusted. Canary Mail omits this tag, so saved attachments inherit local-zone trust. The root cause maps to CWE-693 (Protection Mechanism Failure): the vulnerability is not memory corruption but the absence of an expected safeguard, causing the OS and third-party tools to skip their untrusted-file warnings and execution restrictions. The affected component per NVD CPE is cpe:2.3:a:canarymail:canary_mail on the Windows platform only.

RemediationAI

Upgrade Canary Mail on Windows to a release later than 5.1.40 once the vendor publishes a fixed build; no exact patched version number is confirmed in the available data, so validate the fixed version directly with Canary Mail before deploying (Patch available per vendor advisory could not be confirmed-treat as No vendor-released patch version independently confirmed at time of analysis). Until a fix is confirmed, apply compensating controls: instruct users to save attachments only through a browser or another MOTW-aware client rather than the Canary Mail save function; enforce Office 'Block macros from files from the Internet' and Protected View by Group Policy so untrusted documents are gated even when MOTW is absent (trade-off: does not help executables/scripts and may prompt more user friction); use EDR/AV application-control rules to block execution of freshly written files from mail-attachment directories (trade-off: can interfere with legitimate workflows); and reinforce phishing awareness since delivery still depends on user action. Monitor http://canarymail.com for the security fix.

Share

CVE-2025-65318 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy