CVE-2025-65318
BaseFortify
Publication date: 2025-12-16
Last updated on: 2025-12-17
Assigner: MITRE
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| microsoft | office | 16 |
| blue_mail | blue_mail | 1.140.103 |
| canarymail | canary_mail | 5.1.40 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-693 | The product does not use or incorrectly uses a protection mechanism that provides sufficient defense against directed attacks against the product. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2025-65318 is a vulnerability in Canary Mail version 5.1.40 and below where the application saves email attachments to the file system without applying a Mark-of-the-Web (MOTW) tag. This tag is a security feature that helps Windows OS and third-party software recognize files downloaded from the internet and apply appropriate protections. Without the MOTW tag, attackers can bypass these built-in file protection mechanisms. The vulnerability can be exploited by sending crafted documents that, when saved or opened via Canary Mail, execute malicious code by leveraging Remote Template Injection in Microsoft Office documents. [5]
How can this vulnerability impact me? :
This vulnerability can lead to remote code execution (RCE) on affected systems. Attackers can craft malicious documents that exploit the lack of the Mark-of-the-Web tag when attachments are saved or opened using Canary Mail. This allows malicious code embedded in the documents to execute without additional user interaction, potentially compromising the victim's system, especially if they are running vulnerable versions of Microsoft Office Word (version 16 and below). [5]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
You can detect this vulnerability by scanning DOCX files for the presence of remote template links that indicate exploitation attempts. The RTI-Toolkit provides a PowerShell cmdlet called Invoke-Identify which scans DOCX files to detect remote template links embedded in the document's XML structure. This helps identify potentially malicious documents exploiting CVE-2025-65318. The toolkit operates purely in PowerShell and requires no additional dependencies. Using Invoke-Identify on suspicious DOCX files can help detect the vulnerability on your system. [1]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include avoiding the use of Canary Mail version 5.1.40 and below for opening or saving attachments, as these versions save documents without the Mark-of-the-Web tag, allowing attackers to bypass file protection mechanisms. You should update Canary Mail to a version that addresses this issue if available. Additionally, be cautious with opening DOCX attachments from untrusted sources, especially those that may contain remote template injections. Employ security controls to detect and block malicious documents, and consider disabling automatic loading of remote templates in Microsoft Office settings. Monitoring for exploitation attempts using detection tools like the RTI-Toolkit can also help mitigate risk. [1, 5]