CVE-2025-65318

CriticalPublic PoC

Published: 16 December 2025

Published

16 December 2025

Modified

31 December 2025

KEV Added

—

Patch

—

CVSS Score 9.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

EPSS Score 0.0013 32.3th percentile

Risk Priority 18 60% EPSS · 20% KEV · 20% CVSS

Description

When using the attachment interaction functionality, Canary Mail 5.1.40 and below saves documents to a file system without a Mark-of-the-Web tag, which allows attackers to bypass the built-in file protection mechanisms of both Windows OS and third-party software.

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match

prevent

Directly addresses the CVE by requiring identification, reporting, and timely remediation of the flaw in Canary Mail that fails to apply MOTW tags to saved attachments.

AC-16 Security and Privacy Attributes good match

prevent

Requires defining, associating, and enforcing security attributes such as MOTW on files saved from untrusted email attachments to prevent bypass of OS and third-party protections.

SI-3 Malicious Code Protection good match

preventdetect

Mandates malicious code protection mechanisms at email entry points to scan, detect, and eradicate malicious attachments even if saved without MOTW tags.

Security SummaryAI

CVE-2025-65318 is a high-severity vulnerability (CVSS 9.1, CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N) affecting Canary Mail versions 5.1.40 and below. The issue arises in the attachment interaction functionality, where the application saves documents to the file system without applying the Windows Mark-of-the-Web (MOTW) tag. This flaw, classified under CWE-693 (Protection Mechanism Failure), enables attackers to bypass built-in file protection mechanisms in the Windows operating system as well as third-party security software.

A remote attacker with no privileges or user interaction required can exploit this vulnerability by delivering a malicious document via email to a victim using the affected Canary Mail version. When the victim interacts with the attachment, the application saves it to disk lacking the MOTW tag, allowing the file to execute without triggering security warnings or blocks. Successful exploitation grants high confidentiality and integrity impacts, potentially enabling arbitrary code execution, malware persistence, or data exfiltration without detection by host protections.

Vendor advisories and additional details are available at http://canary.com and http://canarymail.com, with technical analysis and proof-of-concept resources on GitHub at https://github.com/bbaboha/CVE-2025-65318-and-CVE-2025-65319, alongside a Google Drive link at https://drive.google.com/file/d/14wrTzvcLPfFsWmy-SAtDwwZKKPssBsx5/view and https://github.com/nickvourd/RTI-Toolkit. Security practitioners should consult these for patch information and mitigation guidance, such as upgrading Canary Mail beyond version 5.1.40.

Details

CWE(s): CWE-693

Affected Products

canarymail

canary mail

≤ 5.1.40

MITRE ATT&CK Enterprise TechniquesAI

T1553.005 Mark-of-the-Web Bypass Defense Impairment

Adversaries may abuse specific file formats to subvert Mark-of-the-Web (MOTW) controls.

attack.mitre.org →

Why these techniques?

The vulnerability directly bypasses the Windows Mark-of-the-Web (MOTW) tag on saved email attachments, matching T1553.005: Mark-of-the-Web Bypass, enabling execution of malicious files without security warnings or blocks.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

References

http://canary.com
Broken Link · cve@mitre.org
http://canarymail.com
Broken Link · cve@mitre.org
https://drive.google.com/file/d/14wrTzvcLPfFsWmy-SAtDwwZKKPssBsx5/view
Exploit · cve@mitre.org
https://github.com/bbaboha/CVE-2025-65318-and-CVE-2025-65319
Exploit, Third Party Advisory · cve@mitre.org
https://github.com/nickvourd/RTI-Toolkit
Not Applicable · cve@mitre.org
https://github.com/bbaboha/CVE-2025-65318-and-CVE-2025-65319
Exploit, Third Party Advisory · 134c704f-9b21-4f2e-91b3-4a467353bcc0