• News
  • Positive Technologies helps fix vulnerabilities in Proxmox Mail Gateway
News

Positive Technologies helps fix vulnerabilities in Proxmox Mail Gateway

PT SWARM researcher Artyom Danilov identified four vulnerabilities in Proxmox Mail Gateway, an open-source platform developed by Proxmox Server Solutions to protect corporate email against spam and malware. If exploited, the vulnerabilities could allow an attacker to deliver malicious attachments to employees, including ransomware and spyware. The vendor was notified through responsible disclosure and issued an update to remediate the flaws.

Threat intelligence from Positive Technologies suggests that over 15,000 Proxmox Mail Gateway instances worldwide may be exposed. Most of the potentially exposed devices were observed in Germany (23% of the global total), France (9%), the United States (7%), Russia (6%), and Indonesia (5%).
 

The vulnerabilities PT-2026-21929 through PT-2026-219321 (BDU: 2026-01642 through BDU: 2026-01645) received CVSS v4.0 scores of 6.9 to 7.8. If exploited, the issues could enable an attacker to evade Proxmox Mail Gateway filtering and deliver emails containing malicious attachments. If the victim opened the attachment, the outcome would depend on what the file contained. A ransomware payload, for example, could enable an attacker to infiltrate the organization's IT environment and encrypt files across endpoints and servers on the local network, blocking access to valuable information. Such an incident can cause significant financial and reputational damage and, in some cases, interrupt business and production processes.

1 The vulnerabilities have been registered on the dbugs portal, which aggregates data on vulnerabilities in software and hardware from vendors around the world.

"Email clients and mail gateways often depend on specialized libraries that implement SMTP2 parsing and handling standards. Those standards offer guidance, but they do not define every edge case, so different libraries may interpret borderline situations in different ways. If the email client and the security gateway rely on different libraries, these inconsistencies in message processing can be abused by attackers. In the case of Proxmox Mail Gateway, the vulnerabilities could be exploited by any external user. Even so, the practical risk can be much lower if employees have strong security awareness and treat attachments from unknown external senders as suspicious."

Artyom Danilov
Artyom DanilovBanking Security Specialist at Positive Technologies

To address the issues, organizations should upgrade Proxmox Mail Gateway to 8.2.10 or 9.0.6 as quickly as possible. If patching is not feasible, the risk can be mitigated by using the desktop Microsoft Outlook client or other email clients that automatically block executable attachments3 and alert users to potential threats. Organizations should also deploy antivirus protection to add another layer of defense for their corporate environment.
 

2 SMTP (Simple Mail Transfer Protocol) is the core network protocol for relaying email messages between mail servers.

3 An executable attachment is a file that contains code designed to run directly as a program.

In 2025, a team of Positive Technologies researchers, including Artyom Danilov, identified 22 vulnerabilities in modules for FreeScout, an open-source help desk platform with built-in email functionality. If exploited, PT-2025-47937 and PT-2025-42833 through PT-2025-42853 (BDU: 2025-12427 and BDU: 2025-13045 through BDU: 2025-13065) could allow an attacker to harvest credentials and expand the attack within the organization's internal network.

To help defend against phishing, including attacks that might exploit PT-2026-21929–PT-2026-21932, Positive Technologies has developed PT Email Security, a multi-layered email protection solution.

For malware protection, we recommend MaxPatrol EPP, which is designed to prevent widespread and well-known cyberthreats and is powered by a proprietary antivirus engine from Positive Technologies. Risk can be further reduced with MaxPatrol Carbon, which helps identify likely attack paths and automates continuous cyber resilience assessment.

For up-to-date security information, visit the dbugs portal, which aggregates vulnerability data and vendor recommendations for software and hardware from vendors around the world.