Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
11DescriptionCVE.org
MailGates/MailAudit developed by Openfind has a Stack-based Buffer Overflow vulnerability, allowing unauthenticated remote attackers to control the program's execution flow and execute arbitrary code.
AnalysisAI
Remote unauthenticated code execution in Openfind MailGates (5.0-6.0) and MailAudit (5.0-6.0) via stack-based buffer overflow allows complete system compromise. Attackers can send crafted network requests to exploit CWE-121 buffer overflow conditions without authentication, achieving arbitrary code execution with high impact to confidentiality, integrity, and availability. Vendor patches available (MailGates 6.1.10.054, 5.2.10.099; MailAudit 6.1.10.054, 5.2.10.099). CVSS 9.3 with network attack vector (AV:N), low complexity (AC:L), and no privileges required (PR:N) creates critical exposure for internet-facing mail security appliances. EPSS data unavailable; no confirmed active exploitation or public POC identified at time of analysis.
Technical ContextAI
This vulnerability affects Openfind's mail security gateway products MailGates and MailAudit, which provide email filtering, auditing, and archival capabilities for enterprise deployments. The root cause is CWE-121 (Stack-based Buffer Overflow), occurring when the application fails to properly validate input length before copying data to fixed-size stack buffers. Stack-based overflows are particularly dangerous because they can overwrite return addresses and function pointers stored on the stack, enabling attackers to redirect program execution flow. The CVSS 4.0 vector indicates network-accessible exploitation (AV:N) with low attack complexity (AC:L) and no attack requirements (AT:N), suggesting the vulnerable code path is reachable through standard network protocols without complex preconditions. Affected CPE identifiers confirm both product lines across major version branches: cpe:2.3:a:openfind:mailgates and cpe:2.3:a:openfind:mailaudit. Mail gateway appliances typically expose SMTP, HTTP/HTTPS management interfaces, and proprietary protocols, any of which could contain the vulnerable parsing code.
RemediationAI
Immediately upgrade to patched versions: MailGates 6.1.10.054 or 5.2.10.099, MailAudit 6.1.10.054 or 5.2.10.099, as confirmed by EUVD affected version data. Consult Taiwan CERT advisories at https://www.twcert.org.tw/en/cp-139-10843-9ff91-2.html for vendor-specific upgrade procedures and patch distribution channels. If immediate patching is not feasible, implement network segmentation to restrict access to management interfaces to trusted IP ranges only, and place appliances behind web application firewalls or reverse proxies capable of input validation and rate limiting, though these are imperfect mitigations against stack overflows. Monitor for abnormal process crashes, unexpected service restarts, or connection attempts from unknown sources as potential exploitation indicators. Disable any non-essential network-facing services or protocols on the appliance to reduce attack surface. Note that WAF/proxy mitigations may impact legitimate mail processing performance and require testing; network restrictions may complicate remote administration workflows. No workaround fully addresses the underlying memory corruption issue-patching remains the only complete remediation.
The session cookie in MailGates and MailAudit from Openfind does not have the HttpOnly flag enabled, allowing remote att
Openfind MailGates contains a Command Injection flaw, when receiving email with specific strings, malicious code in the
MailGates and MailAudit products contain Command Injection flaw, which can be used to inject and execute system commands
CRLF Injection in Openfind MailGates/MailAudit allows remote unauthenticated attackers to read arbitrary system files vi
Same weakness CWE-121 – Stack-based Buffer Overflow
View allSame technique Stack Overflow
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-23166
GHSA-6v5j-prr3-phf9