Virtual Event: Threat Detection and Incident Response Summit - Watch Sessions
Connect with us

Hi, what are you looking for?


Email Security

Qualys Flags Gaping Security Holes in Exim Mail Server

Security researchers document 21 major security vulnerabilities in Exim and warn that users are exposed to remote code execution flaws 

Security researchers document 21 major security vulnerabilities in Exim and warn that users are exposed to remote code execution flaws 

Security researchers at Qualys have discovered multiple gaping security holes in Exim, a widely deployed mail server that has been targeted in the past by advanced nation state-based threat actors.

An advisory from Qualys documents a total of 21 security vulnerabilities, 10 serious enough to expose Exim mail servers to remote code execution attacks. 

Qualys said it reported the flaws to Exim since last October and noted that some of the vulnerabilities have been present in Exim since at least 2004, Qualys warned.

From the advisory:

We recently audited central parts of the Exim mail server and discovered 21 vulnerabilities (from CVE-2020-28007 to CVE-2020-28026, plus CVE-2021-27216): 11 local vulnerabilities, and 10 remote vulnerabilities. Unless otherwise noted, all versions of Exim are affected since at least the beginning of its Git history, in 2004.

During the course of the research, Qualys said its team successfully exploited three remote code-execution flaws and four local privilege escalation bugs to gain root access on vulnerable mail servers.

Advertisement. Scroll to continue reading.

[RELATED: NSA Publishes IOCs Associated With Russian Targeting of Exim Servers ]

“We will not publish our exploits for now; instead, we encourage other security researchers to write and publish their own exploits,” the company said, noting that the advisory contains sufficient information to develop reliable exploits for these vulnerabilities,” Qualys said. “In fact, we believe that better exploitation methods exist.”

A separate note from Exim maintainers contains information on applying security patches. The group blamed “several internal reasons” for the extended delays in responding to these security issues.

While not as familiar to many as Microsoft Exchange, Exim is widely deployed and is estimated to power more than half of the Internet’s mail servers and is pre-installed in several Linux distributions. According to a March 2021 scan by E-Soft, roughly 60% of publicly-accessible email servers run Exim.

Exim servers have been the target of advanced threat actors in the past, with the NSA warning in May 2020 that Russia-linked threat actors had been exploiting installations of the popular email server. In June 2019, multiple cybercriminals were exploiting a vulnerability in Exim (CVE-2019-10149), including an effort by at least one threat actor to install crypto-mining software.

Related: Several Exim Vulnerabilities Exploited in Russia-Linked Attacks

Related: Hackers Target Recent Vulnerability in Exim Mail Server

Related: NSA Publishes IOCs Associated With Russian Targeting of Exim Servers

Written By

Ryan Naraine is Editor-at-Large at SecurityWeek and host of the popular Security Conversations podcast series. He is a security community engagement expert who has built programs at major global brands, including Intel Corp., Bishop Fox and GReAT. Ryan is a founding-director of the Security Tinkerers non-profit, an advisor to early-stage entrepreneurs, and a regular speaker at security conferences around the world.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.


Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.


Expert Insights

Related Content

Cloud Security

Microsoft and Proofpoint are warning organizations that use cloud services about a recent consent phishing attack that abused Microsoft’s ‘verified publisher’ status.

Application Security

Fortinet on Monday issued an emergency patch to cover a severe vulnerability in its FortiOS SSL-VPN product, warning that hackers have already exploited the...

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...

Application Security

Password management firm LastPass says the hackers behind an August data breach stole a massive stash of customer data, including password vault data that...

Application Security

Microsoft on Tuesday pushed a major Windows update to address a security feature bypass already exploited in global ransomware attacks.The operating system update, released...

Application Security

Electric car maker Tesla is using the annual Pwn2Own hacker contest to incentivize security researchers to showcase complex exploit chains that can lead to...

Email Security

Microsoft is urging customers to install the latest Exchange Server updates and harden their environments to prevent malicious attacks.

Application Security

After skipping last month, Adobe returned to its scheduled Patch Tuesday cadence with the release of fixes for at least 38 vulnerabilities in multiple...