CVE-2019-12706

HIGH

Cisco Email Security Appliance Firmware < 13.5.0 - Unauthenticated Filter Bypass via SPF Message Validation

Title source: llm
STIX 2.1

Description

A vulnerability in the Sender Policy Framework (SPF) functionality of Cisco AsyncOS Software for Cisco Email Security Appliance (ESA) could allow an unauthenticated, remote attacker to bypass the configured user filters on an affected device. The vulnerability exists because the affected software insufficiently validates certain incoming SPF messages. An attacker could exploit this vulnerability by sending a custom SPF packet to an affected device. A successful exploit could allow the attacker to bypass the configured header filters, which could allow malicious content to pass through the device.

References (1)

Core 1
Core References

Scores

CVSS v3 7.5
EPSS 0.0131
EPSS Percentile 67.1%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

CISA SSVC

Vulnrichment
Exploitation none
Automatable yes
Technical Impact partial

Details

CWE
CWE-20
Status published
Products (1)
cisco/email_security_appliance_firmware < 13.5.0
Published Oct 02, 2019
Tracked Since Feb 18, 2026