VYPR
← All advisories
Unrated severityNVD Advisory· Published Sep 18, 2014· Updated May 6, 2026

CVE-2014-4366

CVE-2014-4366

Description

Mail in Apple iOS before 8 does not prevent sending a LOGIN command to a LOGINDISABLED IMAP server, which allows remote attackers to obtain sensitive cleartext information by sniffing the network.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

iOS Mail before 8 sends LOGIN credentials in cleartext to IMAP servers even when LOGINDISABLED, enabling network sniffing.

Vulnerability

In Apple iOS versions prior to 8, the Mail application does not check the LOGINDISABLED capability advertised by an IMAP server before sending a LOGIN command. This allows the client to transmit the user's IMAP credentials (username and password) in cleartext over the network, even when the server explicitly indicates that plaintext authentication is disabled. The affected versions include all iOS releases before 8.0.

Exploitation

An attacker with network access between the iOS device and the IMAP server can passively sniff the traffic. No authentication or user interaction is required beyond the device attempting to connect to the IMAP server. The attacker simply monitors the network for the LOGIN command, which is sent in cleartext.

Impact

Successful sniffing reveals the IMAP account credentials (username and password) in cleartext. This leads to unauthorized access to the victim's email account and potentially other services if the same credentials are reused. The compromise is limited to information disclosure of the credentials.

Mitigation

Apple addressed this issue in iOS 8, released on September 17, 2014 [1]. Users should update to iOS 8 or later. No workaround is available for earlier versions; upgrading is the only mitigation.

References
  1. About the security content of iOS 8 - Apple Support

AI Insight generated on May 23, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

11
  • Apple Inc./Iphone Os10 versions
    cpe:2.3:o:apple:iphone_os:*:*:*:*:*:*:*:*+ 9 more
    • cpe:2.3:o:apple:iphone_os:*:*:*:*:*:*:*:*range: <=7.1.2
    • cpe:2.3:o:apple:iphone_os:7.0:*:*:*:*:*:*:*
    • cpe:2.3:o:apple:iphone_os:7.0.1:*:*:*:*:*:*:*
    • cpe:2.3:o:apple:iphone_os:7.0.2:*:*:*:*:*:*:*
    • cpe:2.3:o:apple:iphone_os:7.0.3:*:*:*:*:*:*:*
    • cpe:2.3:o:apple:iphone_os:7.0.4:*:*:*:*:*:*:*
    • cpe:2.3:o:apple:iphone_os:7.0.5:*:*:*:*:*:*:*
    • cpe:2.3:o:apple:iphone_os:7.0.6:*:*:*:*:*:*:*
    • cpe:2.3:o:apple:iphone_os:7.1:*:*:*:*:*:*:*
    • cpe:2.3:o:apple:iphone_os:7.1.1:*:*:*:*:*:*:*
  • Apple Inc./iOSllm-fuzzy
    Range: <8

Patches

0

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

6

News mentions

0

No linked articles in our index yet.