CVE-2007-3925

Ipswitch IMail Server < 2006.21 - Authenticated Remote Code Execution via IMAP Search Command

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 3 public exploits for CVE-2007-3925. PoCs published by Metasploit, ZhenHan.Liu, MC, including Metasploit module exploits/windows/imap/ipswitch_search.

AI-analyzed exploit summary This is a Metasploit module exploiting a stack buffer overflow in Ipswitch IMail Server 2006.1 via the IMAP SEARCH command. It sends an overly long string to overwrite the buffer and execute arbitrary code, requiring the target user to have at least one message.

Description

Multiple buffer overflows in the IMAP service (imapd32.exe) in Ipswitch IMail Server 2006 before 2006.21 allow remote authenticated users to execute arbitrary code via the (1) Search or (2) Search Charset command.

Exploits (3)

exploitdb WORKING POC VERIFIED
by Metasploit · rubyremotewindows
https://www.exploit-db.com/exploits/16487

This is a Metasploit module exploiting a stack buffer overflow in Ipswitch IMail Server 2006.1 via the IMAP SEARCH command. It sends an overly long string to overwrite the buffer and execute arbitrary code, requiring the target user to have at least one message.

Classification
Working Poc 100%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Ipswitch IMail Server 2006.1
Auth required
Prerequisites: Valid IMAP credentials · Target user must have at least one message
devstral-2 · analyzed Feb 16, 2026 Full analysis →
exploitdb WORKING POC VERIFIED
by ZhenHan.Liu · perlremotewindows
https://www.exploit-db.com/exploits/4223

This exploit targets a stack overflow vulnerability in Ipswitch IMail Server 2006 IMAP SEARCH command. It leverages a buffer overflow in the handling of the SEARCH command to execute arbitrary shellcode, providing remote code execution.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Ipswitch IMail Server 2006 (imap4d32.exe version 6.8.8.1)
Auth required
Prerequisites: Valid IMAP account credentials · At least one mail in the mailbox
devstral-2 · analyzed Feb 16, 2026 Full analysis →
metasploit WORKING POC NORMAL
by MC · rubypocwin
https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/windows/imap/ipswitch_search.rb

This Metasploit module exploits a stack buffer overflow in Ipswitch IMail Server 2006.1 via the IMAP SEARCH command. It sends a crafted payload to overwrite the buffer and execute arbitrary code, requiring an authenticated IMAP user with at least one message.

Classification
Working Poc 100%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Ipswitch IMail Server 2006.1
Auth required
Prerequisites: Authenticated IMAP access · Target user must have at least one message
devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (8)

Core 8
Core References
Third Party Advisory, VDB Entry vdb-entry x_refsource_xf
https://exchange.xforce.ibmcloud.com/vulnerabilities/35496
Third Party Advisory, VDB Entry vdb-entry x_refsource_xf
https://exchange.xforce.ibmcloud.com/vulnerabilities/35500
Third Party Advisory vdb-entry x_refsource_vupen
http://www.vupen.com/english/advisories/2007/2574
Patch vdb-entry x_refsource_bid
http://www.securityfocus.com/bid/24962
Third Party Advisory third-party-advisory x_refsource_idefense
http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=563
Third Party Advisory, VDB Entry vdb-entry x_refsource_sectrack
http://www.securitytracker.com/id?1018419
Vendor Advisory third-party-advisory x_refsource_secunia
http://secunia.com/advisories/26123

Scores

EPSS 0.8467
EPSS Percentile 99.7%

Details

CWE
CWE-119
Status published
Products (2)
ipswitch/imail_server < 2006.2
ipswitch/ipswitch_collaboration_suite < 2006.2
Published Jul 21, 2007
Tracked Since Feb 18, 2026