Cybersecurity and Infrastructure Security Agency (CISA) has added a cross-site scripting (XSS) vulnerability affecting MDaemon Email Server to its Known Exploited Vulnerabilities (KEV) Catalog on May 19, 2025.
This critical addition, identified as CVE-2024-11182, highlights a security flaw that allows attackers to inject malicious JavaScript code via crafted HTML emails.
Federal agencies now have until June 9, 2025, to implement necessary remediation measures, while all organizations are strongly encouraged to address this vulnerability promptly to prevent potential security breaches.
The vulnerability affects MDaemon Email Server versions prior to 24.5.1c and enables attackers to embed JavaScript code in HTML email messages, specifically within image tags.
When a recipient views the malicious email in the webmail interface, the arbitrary JavaScript code executes within the context of the user’s browser window, potentially giving attackers access to sensitive browser data and functionality.
This vulnerability has already been weaponized in the wild, with evidence suggesting exploitation by Russian state-sponsored threat actors.
Security researchers have linked the APT28 group to leveraging this vulnerability in their “Operation Round Press” cyber-espionage campaigns.
The presence of this exploit in active campaigns significantly elevates its risk profile, despite its medium CVSS score of 6.1.
“Cross-site scripting vulnerabilities remain particularly dangerous because they can bypass client-side security controls and execute in the context of a trusted application,” explains the CISA advisory, which classifies this under the CWE-79 category (Improper Neutralization of Input During Web Page Generation).
Impact on Federal Agencies
Under Binding Operational Directive (BOD) 22-01, all Federal Civilian Executive Branch (FCEB) agencies must remediate this vulnerability by June 9, 2025—21 days after its addition to the KEV Catalog.
This directive establishes a compulsory timeline for federal agencies to address known exploited vulnerabilities, emphasizing CISA’s risk-based approach to vulnerability management.
The KEV Catalog has emerged as a crucial resource for prioritizing remediation efforts, focusing on vulnerabilities that pose immediate threats rather than theoretical risks.
Unlike traditional vulnerability scoring systems that may overemphasize potential impacts, the KEV specifically highlights vulnerabilities with confirmed exploitation in the wild.
“The KEV catalog sends a clear message to all organizations to prioritize remediation efforts on the subset of vulnerabilities that are causing immediate harm based on adversary activity,” states CISA’s official guidance.
Recommended Actions for Organizations
Organizations using MDaemon Email Server should immediately update to version 24.5.1c or later to mitigate this vulnerability.
For entities unable to update promptly, implementing compensating controls such as web application firewalls or email filtering systems configured to block emails containing suspicious JavaScript code is recommended.
Security experts emphasize that this vulnerability should be addressed with urgency due to its active exploitation status.
“The ‘In The Wild’ tag associated with this CVE indicates that it is actively being exploited by hackers. This signals an immediate need to implement mitigating measures,” notes one security advisory.
CISA strongly recommends incorporating the KEV Catalog into broader vulnerability management frameworks, such as the Stakeholder-Specific Vulnerability Categorization (SSVC), to appropriately triage vulnerabilities based on real-world exploitation risk rather than severity scores alone.
Organizations can access the KEV Catalog through CISA’s website in multiple formats including CSV and JSON, and subscribe to updates to stay informed about newly added vulnerabilities.
Find this News Interesting! Follow us on Google News, LinkedIn, & X to Get Instant Updates!
Source link
