Cyber Posture

CVE-2025-65319

CriticalPublic PoC

Published: 16 December 2025

Published
16 December 2025
Modified
31 December 2025
KEV Added
Patch
CVSS Score 9.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
EPSS Score 0.0013 32.4th percentile
Risk Priority 18 60% EPSS · 20% KEV · 20% CVSS

Description

When using the attachment interaction functionality, Blue Mail 1.140.103 and below saves documents to a file system without a Mark-of-the-Web tag, which allows attackers to bypass the built-in file protection mechanisms of both Windows OS and third-party software.

Mitigating Controls (NIST 800-53 r5)AI

AC-15 Automated Marking good match
prevent

Requires automatic application of security markings like the Mark-of-the-Web tag to files saved from email attachments, directly preventing bypass of Windows and third-party file protections.

SI-3 Malicious Code Protection partial match
preventdetect

Deploys malicious code protection mechanisms at email client entry points to scan and eradicate threats in attachments, mitigating execution risks from unmarked files.

SC-35 External Malicious Code Identification partial match
detect

Mandates identification of external malicious code in attachments using defined mechanisms, enabling preventive actions despite lack of file markings.

Security SummaryAI

CVE-2025-65319 is a high-severity vulnerability in Blue Mail version 1.140.103 and below, published on 2025-12-16. It occurs in the attachment interaction functionality, where the application saves documents to the file system without applying a Mark-of-the-Web tag. This flaw enables attackers to bypass built-in file protection mechanisms provided by the Windows operating system and third-party software. The vulnerability carries a CVSS v3.1 base score of 9.1 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N) and is classified under CWE-693.

The vulnerability can be exploited by unauthenticated remote attackers with network access, requiring low complexity and no user interaction. Exploitation involves tricking a user into interacting with a malicious email attachment in Blue Mail, resulting in the document being saved without security markings. This grants attackers high-impact access to confidentiality and integrity, allowing malicious files—such as executables or scripts—to execute without triggering Windows Defender SmartScreen or similar protections, potentially leading to code execution or further compromise.

Advisories and additional details are available via vendor reference at http://blue.com, a technical document at https://drive.google.com/file/d/1dVzXuHBk3B1DiFpwFYwj2NNjeKGnGSwT/view, and GitHub repositories including https://github.com/bbaboha/CVE-2025-65318-and-CVE-2025-65319, which covers this CVE alongside CVE-2025-65318. Other references point to related exploit toolkits at https://github.com/nickvourd/RTI-Toolkit and https://github.com/rip1s/CVE-2017-11882. Security practitioners should review these sources for mitigation guidance, patches, or workarounds specific to Blue Mail.

Details

CWE(s)
CWE-693

Affected Products

blixhq
bluemail
≤ 1.140.103

MITRE ATT&CK Enterprise TechniquesAI

T1553.005 Mark-of-the-Web Bypass Defense Impairment
Adversaries may abuse specific file formats to subvert Mark-of-the-Web (MOTW) controls.
attack.mitre.org →
T1566.001 Spearphishing Attachment Initial Access
Adversaries may send spearphishing emails with a malicious attachment in an attempt to gain access to victim systems.
attack.mitre.org →
Why these techniques?

Directly enables Mark-of-the-Web Bypass (T1553.005) by saving attachments without security tags, bypassing Windows protections like SmartScreen; facilitates Spearphishing Attachment (T1566.001) via malicious email attachments in the email client.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

References