CVE-2023-51764

MEDIUM

Postfix < 3.5.23 - SMTP Smuggling via Bare Newline Injection

Title source: llm

Exploitation Summary

EIP tracks 4 public exploits for CVE-2023-51764. PoCs published by duy-31, eeenvik1, d4op.

AI-analyzed exploit summary This is a working proof-of-concept exploit for CVE-2023-51764, demonstrating SMTP smuggling in Postfix. It leverages the vulnerability to send multiple spoofed emails within a single legitimate email, bypassing SPF/DKIM/DMARC checks for the nested emails.

Description

Postfix through 3.8.5 allows SMTP smuggling unless configured with smtpd_data_restrictions=reject_unauth_pipelining and smtpd_discard_ehlo_keywords=chunking (or certain other options that exist in recent versions). Remote attackers can use a published exploitation technique to inject e-mail messages with a spoofed MAIL FROM address, allowing bypass of an SPF protection mechanism. This occurs because Postfix supports <LF>.<CR><LF> but some other popular e-mail servers do not. To prevent attack variants (by always disallowing <LF> without <CR>), a different solution is required, such as the smtpd_forbid_bare_newline=yes option with a Postfix minimum version of 3.5.23, 3.6.13, 3.7.9, 3.8.4, or 3.9.

Exploits (4)

nomisec WORKING POC 22 stars

by duy-31 · poc

https://github.com/duy-31/CVE-2023-51764

View Code ZIP pw:eip

This is a working proof-of-concept exploit for CVE-2023-51764, demonstrating SMTP smuggling in Postfix. It leverages the vulnerability to send multiple spoofed emails within a single legitimate email, bypassing SPF/DKIM/DMARC checks for the nested emails.

Classification

Working Poc 95%

Attack Type

Other

Complexity

Moderate

Reliability

Reliable

Target: Postfix (SMTP server)

No auth needed

Prerequisites: Valid sender email domain with SPF/DKIM/DMARC records · Access to a vulnerable Postfix SMTP server · Expect tool installed

MITRE ATT&CK

T1566.002 - Spearphishing Link

devstral-2 · analyzed Feb 16, 2026 Full analysis →

nomisec WORKING POC 4 stars

by eeenvik1 · poc

https://github.com/eeenvik1/CVE-2023-51764

View Code ZIP pw:eip

The repository contains two Python scripts demonstrating SMTP smuggling (CVE-2023-51764) by exploiting Postfix's handling of SMTP commands. The scripts send emails with spoofed sender addresses via ports 25 and 465, leveraging improper command injection in the email body.

Classification

Working Poc 90%

Attack Type

Other

Complexity

Trivial

Reliability

Reliable

Target: Postfix (SMTP server)

Auth required

Prerequisites: Valid SMTP server credentials · Access to SMTP server on port 25 or 465

MITRE ATT&CK

T1059 - Command and Scripting Interpreter T1059.006 - Python

devstral-2 · analyzed Feb 16, 2026 Full analysis →

nomisec WORKING POC 1 stars

by d4op · poc

https://github.com/d4op/CVE-2023-51764-POC

View Code ZIP pw:eip

This PoC demonstrates SMTP smuggling (CVE-2023-51764) by exploiting improper handling of SMTP commands to spoof emails. It sends multiple emails with forged sender addresses by manipulating the SMTP protocol flow.

Classification

Working Poc 95%

Attack Type

Other

Complexity

Moderate

Reliability

Reliable

Target: SMTP servers vulnerable to SMTP smuggling

No auth needed

Prerequisites: Network access to vulnerable SMTP server · SMTP server that mishandles command sequences

MITRE ATT&CK

T1566.001 - Spearphishing Attachment

devstral-2 · analyzed Feb 16, 2026 Full analysis →

nomisec WORKING POC

by Double-q1015 · poc

https://github.com/Double-q1015/CVE-2023-51764

View Code ZIP pw:eip

This PoC exploits CVE-2023-51764, an SMTP authentication bypass vulnerability, by sending crafted AUTH PLAIN commands to spoof sender/recipient emails. It uses an Expect script to automate the interaction with the SMTP server.

Classification

Working Poc 90%

Attack Type

Auth Bypass

Complexity

Moderate

Reliability

Reliable

Target: 163 SMTP server (smtp.163.com)

Auth required

Prerequisites: SMTP server access · valid authentication credentials

MITRE ATT&CK