CVE-2025-61084

Description

MDaemon Mail Server 23.5.2 validates SPF, DKIM, and DMARC using the email enclosed in angle brackets (<>) in the From: header of SMTP DATA. An attacker can craft a From: header with multiple invisible Unicode thin spaces to display a spoofed sender while passing validation, allowing email spoofing even when anti-spoofing protections are in place. NOTE: this is disputed by the Supplier because UI spoofing occurs in a client, not in a server such as MDaemon's product or any other server implementation. Also, if a client without its own spoofing protection must be used, the Header Screening feature in MDaemon's product can be employed to mitigate the client-side vulnerability.

PUBLISHED Reserved 2025-09-26 | Published 2025-11-05 | Updated 2025-11-13 | Assigner mitre

References

github.com/...-References/blob/main/CVE-2025-61084/README.md

cve.org (CVE-2025-61084)

nvd.nist.gov (CVE-2025-61084)

Download JSON

Data based on CVE®. Copyright © 1999-2025, The MITRE Corporation. All rights reserved.