CVE-2025-34490: GFI MailEssentials XXE Vulnerability
First published: Mon Apr 28 2025(Updated: )
GFI MailEssentials prior to version 21.8 is vulnerable to an XML External Entity (XXE) issue. An authenticated and remote attacker can send crafted HTTP requests to read arbitrary system files.
Credit: disclosure@vulncheck.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| GFI MailEssentials | <21.8 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
Frequently Asked Questions
What is the severity of CVE-2025-34490?
CVE-2025-34490 is classified as a medium severity vulnerability due to its potential for data exposure through XML External Entity (XXE) attacks.
How do I fix CVE-2025-34490?
To resolve CVE-2025-34490, upgrade GFI MailEssentials to version 21.8 or later.
What type of attack can exploit CVE-2025-34490?
CVE-2025-34490 can be exploited through crafted HTTP requests that trigger XML External Entity (XXE) vulnerabilities.
Who is affected by CVE-2025-34490?
CVE-2025-34490 affects users of GFI MailEssentials versions prior to 21.8.
What can an attacker do with CVE-2025-34490?
An authenticated and remote attacker can exploit CVE-2025-34490 to read arbitrary system files on the server.
- collector/mitre-cve
- source/MITRE
- collector/nvd-api
- source/NVD
- agent/title
- agent/author
- agent/source
- agent/references
- agent/severity
- agent/last-modified-date
- agent/weakness
- agent/type
- agent/description
- agent/first-publish-date
- agent/event
- agent/softwarecombine
- agent/tags
- agent/guess-ai
- agent/software-canonical-lookup
- vendor/gfi
- canonical/gfi mailessentials