MediumCISA KEVExploited in the wildPublic exploit

XSS in MDaemon Email Server Webmail

IdentifiersCVE-2024-11182CWE-79· Improper Neutralization of Input…

CVE-2024-11182 is a cross-site scripting vulnerability in MDaemon Email Server webmail affecting versions before 24.5.1c. The flaw can be triggered by sending a crafted HTML email containing JavaScript in an img tag; ESET reporting further indicates the exploit involved malformed HTML attributes to render a hidden img/onerror-style JavaScript payload. When a victim opens the malicious message in the vulnerable webmail interface, attacker-supplied JavaScript executes in the security context of that user’s webmail session. In observed exploitation, this was used as part of Sednit/APT28’s Operation RoundPress against high-value targets. The vulnerability enables script-based access to data available within the webmail page, including mailbox contents and session-accessible account information.

For your environment

Are you exposed to this one?

Mallory correlates every CVE against your assets, your vendors, and active adversary campaigns. Know which vulnerabilities matter for you, not just which ones are loud.

Start free trial

ANALYST BRIEF

Impact, mitigation & remediation

What it means. What to do now. Patch path, mitigations, and the assume-compromise checklist.

Impact

What an attacker gets, and what they’ve been doing with it.

Successful exploitation allows remote execution of arbitrary JavaScript in the victim’s browser within the MDaemon webmail origin. This can lead to theft of webmail credentials, session hijacking, unauthorized access to email contents, contacts, settings, login history, and other mailbox data accessible to the user. Reporting on in-the-wild exploitation also indicates the attack could facilitate two-factor-authentication bypass by stealing 2FA-related data and creating an application password, enabling continued unauthorized mailbox access. The impact is generally confined to the webmail session/browser context rather than direct compromise of the underlying host.

Mitigation

If you can’t patch tonight, do this now.

If immediate patching is not possible, reduce exposure of the MDaemon webmail interface, restrict access to trusted networks or VPN users, and monitor for suspicious HTML email targeting webmail users. Implement compensating controls such as web application filtering where feasible, strengthen email filtering to block or quarantine suspicious HTML content, and review mailbox/application-password settings and authentication logs for signs of abuse. Because exploitation requires the malicious email to be opened in webmail, user awareness and rapid removal of suspicious messages can reduce risk, but patching is the primary mitigation.

Remediation

Patch, then assume compromise.

Upgrade MDaemon Email Server to a fixed release. The provided content states affected versions are those before 24.5.1c, and supporting reporting states the vulnerability was patched by the vendor in November 2024. Organizations should apply the vendor patch/update immediately to all exposed MDaemon webmail instances and verify that the webmail component is running the corrected build.

PUBLIC EXPLOITS

Exploits

No public exploits tracked yet. Mallory keeps watching.

VALID 0 / 0 TOTALView more in app

No public exploit code observed for this vulnerability.

EXPOSURE SURFACE

Affected products & vendors

Products and vendors Mallory has correlated with this vulnerability. Open in Mallory to drill down to specific CPE configurations and version ranges.

VendorProductType

MDaemon TechnologiesMdaemonapplication

Vendor-confirmed product mapping. Mallory continuously reconciles this list against your asset inventory.

ACTIVITY FEED

Recent activity

27 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

27 SOURCESView more in app

ics cert kasperskyNews

Sep 4, 2025

APT and financial attacks on industrial organizations in Q2 2025 | Kaspersky ICS CERT

A zero-day cross-site scripting (XSS) flaw in MDaemon Email Server’s HTML rendering that enabled execution of malicious JavaScript in victims’ webmail sessions, used by Sednit/APT28 in spear-phishing (Operation RoundPress).

help net securityNews

May 21, 2025

Nation-state APTs ramp up attacks on Ukraine and the EU

A zero-day vulnerability in MDaemon Email Server exploited by the Sednit group in targeted attacks against Ukrainian companies.

infosecurity magazine comNews

May 20, 2025

Russian APT Groups Intensify Attacks in Europe with Zero-Day Exploits and Wipers

A zero-day cross-site scripting (XSS) vulnerability in MDaemon Email Server exploited by Fancy Bear (APT28) for targeted attacks against Ukrainian companies.

cyberthroneNews

May 20, 2025

CISA Adds Six Vulnerabilities to KEV Catalog

A cross-site scripting vulnerability in MDaemon Email Server webmail that can enable session hijacking and unauthorized email access.

+6 more in the timeline

What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets are affected, which adversaries are exploiting it right now, which detections to deploy, and what to do tonight.

Start free trial

Exposure mapping

Query your assets running an affected version, and investigate the blast radius.

Threat actor evidence4

Every observed campaign linking this CVE to a named adversary.

Associated malware2

Malware families riding this exploit, with evidence and IOCs.

Detection signatures1

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

Vendor-by-vendor mapping

Cross-references every affected SKU, including bundled OEM variants.

Social activity17

Community discussion across Reddit, Mastodon, and other social sources.

EXTERNAL REFERENCES

MITRE CVE

cve.org · CVE-2024-11182

NVD

nvd.nist.gov/vuln/detail/CVE-2024-11182

MITRE CWE · CWE-79

Improper Neutralization of Input During Web…

Release Notes

files.mdaemon.com/mdaemon/beta/RelNotes_en.html

US Government Resource

cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2024-11182