CVE-2025-61084 identifies a vulnerability in MDaemon Mail Server version 23.5.2 related to how the server validates SPF, DKIM, and DMARC email authentication protocols. Specifically, the server bases its validation on the email address enclosed within angle brackets (<>) in the From: header of the SMTP DATA command. The vulnerability arises because an attacker can craft a From: header containing multiple invisible Unicode thin space characters, which are not visually apparent but cause the displayed sender address to differ from the validated address. This discrepancy allows the attacker to spoof the sender's identity successfully, bypassing SPF, DKIM, and DMARC protections that rely on exact matching of the email address. The supplier disputes the classification of this as a server-side vulnerability, asserting that the spoofing effect is a UI-level issue in email clients rather than a flaw in the server's validation logic. However, if clients lack their own spoofing protections, the MDaemon Mail Server's Header Screening feature can be used to mitigate this risk by filtering or normalizing headers to prevent such spoofing. The vulnerability is assigned a CVSS v3.1 score of 7.1 (high severity), indicating it is remotely exploitable without user interaction, requires low privileges, and impacts the integrity of email communications. No public exploits are known at this time. The underlying weaknesses relate to improper input validation (CWE-20) and improper neutralization of special elements in output (CWE-116), which allow manipulation of header fields to deceive recipients. This vulnerability could facilitate phishing, business email compromise, or other social engineering attacks by making spoofed emails appear legitimate despite anti-spoofing checks.

For European organizations, this vulnerability poses a significant risk to email integrity and trustworthiness. Attackers exploiting this flaw can send spoofed emails that bypass SPF, DKIM, and DMARC protections, increasing the likelihood of successful phishing campaigns, malware delivery, or business email compromise. This can lead to data breaches, financial fraud, reputational damage, and operational disruption. Organizations relying on MDaemon Mail Server for critical communications may see increased targeted attacks exploiting this spoofing vector. The lack of user interaction required and remote exploitability make it easier for attackers to leverage this vulnerability at scale. Additionally, sectors such as finance, government, healthcare, and critical infrastructure in Europe, which are frequent phishing targets, may be disproportionately impacted. The dispute by the supplier about the nature of the vulnerability may delay patching or mitigation efforts, increasing exposure. However, the availability of the Header Screening feature provides a practical mitigation path to reduce risk. Overall, the vulnerability undermines the effectiveness of widely adopted email authentication standards, potentially eroding trust in email communications within affected organizations.

European organizations using MDaemon Mail Server 23.5.2 should immediately assess their exposure to this vulnerability. Since no official patch is currently available, organizations should enable and properly configure the Header Screening feature in MDaemon to detect and block suspicious From: headers containing invisible Unicode characters or other anomalies. Email administrators should implement additional email gateway filtering rules to normalize or reject headers with unusual Unicode whitespace characters. Deploying advanced anti-phishing and email security solutions that perform heuristic and behavioral analysis can help detect spoofed emails that bypass SPF/DKIM/DMARC. Organizations should educate users to be vigilant about unexpected or suspicious emails, even if they appear to come from trusted senders. Monitoring email logs for unusual patterns or repeated spoofing attempts is recommended. If possible, consider deploying client-side protections that detect UI spoofing or visual anomalies in sender addresses. Coordination with MDaemon support and monitoring for official patches or updates is critical. Finally, organizations should review and strengthen their incident response plans to quickly address any phishing or spoofing incidents arising from this vulnerability.