Skip to main content
Mallory
Back to vulnerabilities
MediumCISA KEVExploited in the wildPublic exploit

Cross-Site Scripting in MDaemon Email Server Webmail

IdentifiersCVE-2024-11182CWE-79· Improper Neutralization of Input…

CVE-2024-11182 is a cross-site scripting (XSS) vulnerability in MDaemon Email Server before version 24.5.1c. The issue can be triggered by sending a crafted HTML email containing JavaScript in an img tag to a user of the MDaemon webmail interface. When the victim opens the malicious message in the vulnerable webmail portal, the attacker-supplied script executes in the context of the victim’s browser session for that webmail application. Reporting on in-the-wild exploitation indicates the flaw was used as a zero-day in espionage operations and enabled injection of arbitrary JavaScript into the webmail page, allowing access to data and actions available to the authenticated user within that browser context.

Share:
For your environment

Are you exposed to this one?

Mallory correlates every CVE against your assets, your vendors, and active adversary campaigns. Know which vulnerabilities matter for you, not just which ones are loud.

Start free trial
ANALYST BRIEF

Impact, mitigation & remediation

What it means. What to do now. Patch path, mitigations, and the assume-compromise checklist.

Impact

What an attacker gets, and what they’ve been doing with it.

Successful exploitation allows execution of arbitrary JavaScript in the victim’s authenticated webmail session. This can lead to session hijacking, theft of webmail credentials, unauthorized access to mailbox contents, exfiltration of emails, contacts, login history, and potentially two-factor authentication-related data. Reporting on observed exploitation also indicates attackers could create application passwords in some cases, enabling continued mailbox access and effective bypass of MFA protections for the compromised account. The impact is generally confined to the webmail application context rather than direct compromise of the underlying host.

Mitigation

If you can’t patch tonight, do this now.

If immediate patching is not possible, reduce exposure by restricting or temporarily disabling vulnerable webmail access, especially from untrusted networks. Apply HTML email sanitization and filtering controls to block or neutralize active content and suspicious img-tag-based payloads in inbound mail. Use web application firewall or reverse-proxy protections where feasible to detect and block exploit patterns. Enforce MFA, monitor for creation of application passwords, and alert on anomalous mailbox access, session reuse, or data exfiltration behavior. User awareness alone is insufficient because exploitation occurs when the email is opened in vulnerable webmail.

Remediation

Patch, then assume compromise.

Upgrade MDaemon Email Server to a fixed release. The provided content states the vulnerability affects versions before 24.5.1c and that vendor patching was issued in the 24.5.1 line; organizations should deploy the latest vendor-supported version that includes the fix and verify that all webmail components are updated. Review mailboxes and webmail logs for indicators of exploitation, including suspicious HTML emails, anomalous session activity, unauthorized application passwords, and unexpected mailbox access or forwarding behavior. Reset affected user sessions and credentials, revoke unauthorized app passwords, and rotate MFA secrets if compromise is suspected.
PUBLIC EXPLOITS

Exploits

No public exploits tracked yet. Mallory keeps watching.

VALID 0 / 0 TOTALView more in app

No public exploit code observed for this vulnerability.

EXPOSURE SURFACE

Affected products & vendors

Products and vendors Mallory has correlated with this vulnerability. Open in Mallory to drill down to specific CPE configurations and version ranges.

VendorProductType
MDaemon TechnologiesMdaemonapplication

Vendor-confirmed product mapping. Mallory continuously reconciles this list against your asset inventory.

ACTIVITY FEED

Recent activity

28 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

28 SOURCESView more in app
ics cert kasperskyNews
Sep 4, 2025
APT and financial attacks on industrial organizations in Q2 2025 | Kaspersky ICS CERT

A zero-day cross-site scripting (XSS) flaw in MDaemon Email Server’s HTML rendering that enabled execution of malicious JavaScript in victims’ webmail sessions, used by Sednit/APT28 in spear-phishing (Operation RoundPress).

Read more
help net securityNews
May 21, 2025
Nation-state APTs ramp up attacks on Ukraine and the EU

A zero-day vulnerability in MDaemon Email Server exploited by the Sednit group in targeted attacks against Ukrainian companies.

Read more
infosecurity magazine comNews
May 20, 2025
Russian APT Groups Intensify Attacks in Europe with Zero-Day Exploits and Wipers

A zero-day cross-site scripting (XSS) vulnerability in MDaemon Email Server exploited by Fancy Bear (APT28) for targeted attacks against Ukrainian companies.

Read more
cyberthroneNews
May 20, 2025
CISA Adds Six Vulnerabilities to KEV Catalog

A cross-site scripting vulnerability in MDaemon Email Server webmail that can enable session hijacking and unauthorized email access.

Read more
+7 more in the timeline
What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets are affected, which adversaries are exploiting it right now, which detections to deploy, and what to do tonight.
Start free trial
Exposure mapping

Query your assets running an affected version, and investigate the blast radius.

Threat actor evidence5

Every observed campaign linking this CVE to a named adversary.

Associated malware3

Malware families riding this exploit, with evidence and IOCs.

Detection signatures1

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

Vendor-by-vendor mapping

Cross-references every affected SKU, including bundled OEM variants.

Social activity17

Community discussion across Reddit, Mastodon, and other social sources.

EXTERNAL REFERENCES
MITRE CVE
cve.org · CVE-2024-11182
NVD
nvd.nist.gov/vuln/detail/CVE-2024-11182
MITRE CWE · CWE-79
Improper Neutralization of Input During Web…
Release Notes
files.mdaemon.com/mdaemon/beta/RelNotes_en.html
US Government Resource
cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2024-11182