A critical vulnerability in Exim Mail Transfer Agent threatens millions of servers worldwide by allowing attackers to execute code on affected systems.
A serious security vulnerability threatens mail servers around the world that rely on Exim Mail Transfer Software. the Vulnerability (CVE-2023-42115) It was discovered by an anonymous security researcher and released via Trend Micro’s Zero Day Initiative (ZDI). It is based on an out-of-bounds write vulnerability in the SMTP service. This type of issue can lead to software crashes and data corruption, and can be exploited by attackers to execute code or commands on vulnerable servers.
The ZDI statement states that the issue arises from a failure to validate user-entered data, which could result in a write operation that exceeds the end of the buffer. Attackers can exploit this to execute code or commands.
ZDI informed Exim of the vulnerability in June last year, and upon request, sent further information about the attack vector to the manufacturer in May this year. The patch that secures the mail servers is still missing, as is the timeline in which it might be available. Therefore, at the end of September, ZDI published an advisory containing details of zero-day CVE-2023-42115. It also includes an overview of previous communications with Exim.
It remains to be hoped that this deployment will put Exim under pressure and at least provide a timeline on when a patch is expected, as MTA servers like Exim are among particularly attractive targets for attack. On the one hand, this is because they are easily accessible online, and on the other hand, they provide cybercriminals with good access to target networks.
In March 2020, the US National Security Agency discovered that the notorious Russian hacking group Sandworm had been exploiting the critical Exim vulnerability CVE-2019-10149 (The Return of the WIZard) since at least August 2019. Exim is also the default MTA in Debian Linux distributions and the most popular MTA program in the world, according to a mail server survey conducted in early September 2023. Accordingly, Exim is installed on more than 56 percent of the total 602,000 mail servers accessible over the Internet, which is That corresponds to just over 342,000 Exim servers. According to Shodan’s research, there are currently more than 3.5 million Exim servers online, most of which are in the United States, followed by Russia and Germany.
Although a patch is not yet available to protect vulnerable Exim servers from potential attacks, ZDI advises all administrators to restrict remote access from the Internet to thwart incoming attack attempts.
“Social media evangelist. Baconaholic. Devoted reader. Twitter scholar. Avid coffee trailblazer.”