CISA Lists MDaemon Email Server XSS Vulnerability in KEV Catalog

A newly disclosed security flaw, tracked as CVE-2024-11182, has been identified in MDaemon Email Server versions before 24.5.1c.

This vulnerability is classified as a cross-site scripting (XSS) issue under CWE-79, which involves improper neutralization of input during web page generation.

Specifically, attackers can exploit this flaw by sending a specially crafted HTML email containing malicious JavaScript code embedded within an <img> tag.

When a recipient views the email via webmail, the JavaScript executes in the context of their browser, potentially leading to unauthorized actions, data theft, or further compromise of user accounts.

The vulnerability is rated as medium severity, with a CVSS score of 6.1 (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N), indicating that it is exploitable remotely, requires no privileges, and relies on user interaction.

The exploit prediction scoring system (EPSS) estimates a 0.06% probability of exploitation in the next 30 days, but the presence of active exploits and the “In The Wild” tag significantly raises the urgency for remediation.

Technical Details and Exploitation Risks

The technical root of CVE-2024-11182 lies in the server’s failure to properly sanitize user-controlled input before rendering it in the webmail interface.

The classic XSS attack vector here involves embedding JavaScript code in an HTML email, such as:

xml<img src="x" onerror="alert('XSS Exploit');">

When this email is viewed in a vulnerable version of MDaemon’s webmail, the script executes in the user’s browser context.

This can enable attackers to:

• Steal session cookies or authentication tokens
• Initiate actions on behalf of the victim (such as changing account settings)
• Deliver additional malware or phishing payloads
• Escalate privileges if the victim is an administrator

Recent reports indicate that this vulnerability has been leveraged in cyber-espionage campaigns, notably by the Russian state-sponsored group APT28, underscoring its real-world impact and the necessity for immediate mitigation.

Mitigation, Compliance, and Next Steps

Organizations using MDaemon Email Server versions 20.0.0 through 24.5.0 are at risk and should prioritize updating to version 24.5.1c or later, which addresses this vulnerability.

If immediate patching is not feasible, additional mitigations include:

• Employing web application firewalls (WAFs) to filter malicious content
• Restricting access to the webmail interface using Portal ACLs or similar controls
• Educating users about the risks of suspicious emails and potential phishing attempts

For U.S. federal agencies and contractors, compliance with CISA’s Binding Operational Directive (BOD) 22-01 is mandatory.

BOD 22-01 requires the remediation of all known exploited vulnerabilities within specified timelines to reduce risk across the federal enterprise.

Agencies must report on remediation status and may face additional scrutiny if vulnerabilities remain unaddressed.

Organizations unable to apply mitigations or updates should consider discontinuing use of the affected product to prevent exploitation.

Key Dates:

• Vulnerability disclosed: May 19, 2025
• Remediation due date (per BOD 22-01): June 9, 2025

CVE-2024-11182 presents a significant risk to organizations using vulnerable versions of MDaemon Email Server, with active exploitation already observed.

Prompt patching and adherence to federal directives are essential to safeguard sensitive information and maintain operational integrity.

Failure to act could result in account compromise, data breaches, or further attacks leveraging this XSS flaw.

Find this Story Interesting! Follow us on LinkedIn and X to Get More Instant updates