BlueMail
CVE-2025-65319
CRITICAL
Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
Malicious file delivered over network but victim must save and open the attachment, so UI:R (not UI:N); bypassing MOTW enables high-integrity/confidentiality payload execution, no availability impact.
Primary rating from Vendor (mitre).
CVSS VectorVendor: mitre
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
Lifecycle Timeline
2DescriptionCVE.org
When using the attachment interaction functionality, Blue Mail 1.140.103 and below saves documents to a file system without a Mark-of-the-Web tag, which allows attackers to bypass the built-in file protection mechanisms of both Windows OS and third-party software.
AnalysisAI
Protection-mechanism bypass in BlueMail 1.140.103 and earlier on Windows lets attackers deliver files that are saved via the attachment-interaction feature without a Mark-of-the-Web (MOTW) tag, defeating Windows SmartScreen, Office Protected View, and third-party security software that rely on the MOTW zone identifier. Publicly available exploit code exists; the flaw is not listed in CISA KEV and EPSS is low (0.48%, 38th percentile), indicating no confirmed widespread exploitation yet. The practical effect is that a malicious document or executable arriving by email loses the 'downloaded from the Internet' provenance that would normally trigger a warning or block.
Technical ContextAI
The issue stems from how BlueMail's Windows client writes attachments to the local file system. On Windows/NTFS, files originating from untrusted zones are tagged with the Zone.Identifier Alternate Data Stream - the Mark-of-the-Web - which downstream defenses (SmartScreen, Office Protected View, macro-blocking policies, AppLocker/Smart App Control heuristics, and many EDR/AV products) consult before allowing execution or active content. Per CWE-693 (Protection Mechanism Failure), BlueMail does not attach this MOTW tag when persisting attachment data, so the OS-level trust boundary is silently removed rather than a new code path being introduced. The affected build is identified by CPE cpe:2.3:a:blixhq:bluemail:*:*:*:*:*:windows:*:* (Blix Inc.'s BlueMail), scoped specifically to the Windows platform where MOTW semantics apply.
RemediationAI
Upgrade BlueMail for Windows to a release later than 1.140.103 that correctly applies the Mark-of-the-Web tag to saved attachments; no exact fixed version number was supplied in the input data, so confirm the patched build directly with Blix (BlueMail) before deployment - do not rely on a version invented here. As compensating controls until patched: instruct users not to use the in-app save/open attachment flow and instead route attachments through a browser or client that preserves MOTW; enforce Office 'Block macros from running in files from the Internet' and keep Protected View mandatory (note these policies lose effect precisely because MOTW is stripped, so pair them with attachment sandboxing at the mail gateway); apply application allowlisting (AppLocker/WDAC) so unknown executables cannot run regardless of MOTW state (trade-off: administrative overhead and potential blocking of legitimate tools); and consider blocking or quarantining high-risk attachment types (.exe, .js, .hta, macro-enabled Office) at the email gateway, which reduces convenience but removes the delivery vector. Reference the public tracking repository https://github.com/bbaboha/CVE-2025-65318-and-CVE-2025-65319 for technical detail.
Same weakness CWE-693 – Protection Mechanism Failure
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today