MediumPublic exploit

Privilege Escalation in Stalwart Mail Server via RUN_AS_USER Bypass

IdentifiersCVE-2024-35179CWE-269

A privilege escalation vulnerability exists in Stalwart Mail Server prior to version 0.8.0 when configured with the RUN_AS_USER option. If an attacker with admin credentials (or who has compromised an admin account) achieves arbitrary code execution via another vulnerability, they can read arbitrary files as root, bypassing the intended privilege separation enforced by RUN_AS_USER. This exposes sensitive files on the host system to unauthorized access.

For your environment

Are you exposed to this one?

Mallory correlates every CVE against your assets, your vendors, and active adversary campaigns. Know which vulnerabilities matter for you, not just which ones are loud.

Start free trial

ANALYST BRIEF

Impact, mitigation & remediation

What it means. What to do now. Patch path, mitigations, and the assume-compromise checklist.

Impact

What an attacker gets, and what they’ve been doing with it.

Attackers who have obtained admin credentials and achieved arbitrary code execution can escalate privileges to read any file as root, potentially exposing sensitive system files, credentials, and other confidential data. This undermines the security boundary expected by administrators using RUN_AS_USER.

Mitigation

If you can’t patch tonight, do this now.

Until the server can be upgraded, restrict admin access, monitor for signs of compromise, and avoid granting admin credentials to untrusted users. Consider running the mail server in a sandboxed or containerized environment to further limit the impact of a potential compromise.

Remediation

Patch, then assume compromise.

Upgrade Stalwart Mail Server to version 0.8.0 or later, which contains a patch for this vulnerability. Ensure that all instances are updated and that admin credentials are tightly controlled.

PUBLIC EXPLOITS

Exploits

No public exploits tracked yet. Mallory keeps watching.

VALID 0 / 0 TOTALView more in app

No public exploit code observed for this vulnerability.

ACTIVITY FEED

Recent activity

1 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

1 SOURCESView more in app

arxivNews

May 19, 2024

Teams of LLM Agents can Exploit Zero-Day Vulnerabilities

An arbitrary code execution vulnerability in Stalwart Mail Server involving admin privilege issues.

What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets are affected, which adversaries are exploiting it right now, which detections to deploy, and what to do tonight.

Start free trial

Exposure mapping

Query your assets running an affected version, and investigate the blast radius.

Threat actor evidence

Every observed campaign linking this CVE to a named adversary.

Associated malware

Malware families riding this exploit, with evidence and IOCs.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

Vendor-by-vendor mapping

Cross-references every affected SKU, including bundled OEM variants.

Social activity

Community discussion across Reddit, Mastodon, and other social sources.

EXTERNAL REFERENCES

MITRE CVE

cve.org · CVE-2024-35179

NVD

nvd.nist.gov/vuln/detail/CVE-2024-35179

MITRE CWE · CWE-269

cwe.mitre.org

github.com

github.com/stalwartlabs/mail-server/security/advisories/GHSA-5pfx-j27j-4c6h