CVE-2025-34490

MEDIUM

GFI Mailessentials < 21.8 - XXE

Title source: rule

Description

GFI MailEssentials prior to version 21.8 is vulnerable to an XML External Entity (XXE) issue. An authenticated and remote attacker can send crafted HTTP requests to read arbitrary system files.

References (3)

[Exploit] https://frycos.github.io/vulns4free/2025/04/28/mailessentials.html

[Release Notes] https://gfi.ai/products-and-solutions/network-security-solutions/mailessentials/resources/documentation/product-releases

[Third Party Advisory] https://www.vulncheck.com/advisories/gfi-mailessentials-xxe-arbitrary-file-read

Scores

CVSS v3 6.5

EPSS 0.0013

EPSS Percentile 32.5%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact partial

Details

CWE

CWE-611

Status published

Products (1)

gfi/mailessentials < 21.8

Published Apr 28, 2025

Tracked Since Feb 18, 2026