CVE-2025-65319
Published: 16 December 2025
Summary
CVE-2025-65319 is a critical-severity Protection Mechanism Failure (CWE-693) vulnerability in Blixhq Bluemail. Its CVSS base score is 9.1 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Mark-of-the-Web Bypass (T1553.005); ranked at the 27.5th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 AC-15 (Automated Marking) and SC-35 (External Malicious Code Identification).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Requires automatic application of security markings like the Mark-of-the-Web tag to files saved from email attachments, directly preventing bypass of Windows and third-party file protections.
Deploys malicious code protection mechanisms at email client entry points to scan and eradicate threats in attachments, mitigating execution risks from unmarked files.
Mandates identification of external malicious code in attachments using defined mechanisms, enabling preventive actions despite lack of file markings.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Directly enables Mark-of-the-Web Bypass (T1553.005) by saving attachments without security tags, bypassing Windows protections like SmartScreen; facilitates Spearphishing Attachment (T1566.001) via malicious email attachments in the email client.
NVD Description
When using the attachment interaction functionality, Blue Mail 1.140.103 and below saves documents to a file system without a Mark-of-the-Web tag, which allows attackers to bypass the built-in file protection mechanisms of both Windows OS and third-party software.
Deeper analysisAI
CVE-2025-65319 is a high-severity vulnerability in Blue Mail version 1.140.103 and below, published on 2025-12-16. It occurs in the attachment interaction functionality, where the application saves documents to the file system without applying a Mark-of-the-Web tag. This flaw enables attackers to bypass built-in file protection mechanisms provided by the Windows operating system and third-party software. The vulnerability carries a CVSS v3.1 base score of 9.1 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N) and is classified under CWE-693.
The vulnerability can be exploited by unauthenticated remote attackers with network access, requiring low complexity and no user interaction. Exploitation involves tricking a user into interacting with a malicious email attachment in Blue Mail, resulting in the document being saved without security markings. This grants attackers high-impact access to confidentiality and integrity, allowing malicious files—such as executables or scripts—to execute without triggering Windows Defender SmartScreen or similar protections, potentially leading to code execution or further compromise.
Advisories and additional details are available via vendor reference at http://blue.com, a technical document at https://drive.google.com/file/d/1dVzXuHBk3B1DiFpwFYwj2NNjeKGnGSwT/view, and GitHub repositories including https://github.com/bbaboha/CVE-2025-65318-and-CVE-2025-65319, which covers this CVE alongside CVE-2025-65318. Other references point to related exploit toolkits at https://github.com/nickvourd/RTI-Toolkit and https://github.com/rip1s/CVE-2017-11882. Security practitioners should review these sources for mitigation guidance, patches, or workarounds specific to Blue Mail.
Details
- CWE(s)