CVE-2025-65318
Unknown Unknown - Not Provided
BaseFortify

Publication date: 2025-12-16

Last updated on: 2025-12-17

Assigner: MITRE

Description
When using the attachment interaction functionality, Canary Mail 5.1.40 and below saves documents to a file system without a Mark-of-the-Web tag, which allows attackers to bypass the built-in file protection mechanisms of both Windows OS and third-party software.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-12-16
Last Modified
2025-12-17
Generated
2026-06-16
AI Q&A
2025-12-16
EPSS Evaluated
2026-06-15
NVD
CVE-2025-65318
Affected Vendors & Products
Showing 3 associated CPEs
Vendor Product Version / Range
microsoft office 16
blue_mail blue_mail 1.140.103
canarymail canary_mail 5.1.40
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-693 The product does not use or incorrectly uses a protection mechanism that provides sufficient defense against directed attacks against the product.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Mitigation Strategies

Immediate mitigation steps include avoiding the use of Canary Mail version 5.1.40 and below for opening or saving attachments, as these versions save documents without the Mark-of-the-Web tag, allowing attackers to bypass file protection mechanisms. You should update Canary Mail to a version that addresses this issue if available. Additionally, be cautious with opening DOCX attachments from untrusted sources, especially those that may contain remote template injections. Employ security controls to detect and block malicious documents, and consider disabling automatic loading of remote templates in Microsoft Office settings. Monitoring for exploitation attempts using detection tools like the RTI-Toolkit can also help mitigate risk. [1, 5]

Executive Summary

CVE-2025-65318 is a vulnerability in Canary Mail version 5.1.40 and below where the application saves email attachments to the file system without applying a Mark-of-the-Web (MOTW) tag. This tag is a security feature that helps Windows OS and third-party software recognize files downloaded from the internet and apply appropriate protections. Without the MOTW tag, attackers can bypass these built-in file protection mechanisms. The vulnerability can be exploited by sending crafted documents that, when saved or opened via Canary Mail, execute malicious code by leveraging Remote Template Injection in Microsoft Office documents. [5]

Impact Analysis

This vulnerability can lead to remote code execution (RCE) on affected systems. Attackers can craft malicious documents that exploit the lack of the Mark-of-the-Web tag when attachments are saved or opened using Canary Mail. This allows malicious code embedded in the documents to execute without additional user interaction, potentially compromising the victim's system, especially if they are running vulnerable versions of Microsoft Office Word (version 16 and below). [5]

Detection Guidance

You can detect this vulnerability by scanning DOCX files for the presence of remote template links that indicate exploitation attempts. The RTI-Toolkit provides a PowerShell cmdlet called Invoke-Identify which scans DOCX files to detect remote template links embedded in the document's XML structure. This helps identify potentially malicious documents exploiting CVE-2025-65318. The toolkit operates purely in PowerShell and requires no additional dependencies. Using Invoke-Identify on suspicious DOCX files can help detect the vulnerability on your system. [1]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-65318. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart