Connect with us

Hi, what are you looking for?


Email Security

Unpatched Exim Vulnerabilities Expose Many Mail Servers to Attacks 

Patches are being developed for serious Exim vulnerabilities that could expose many mail servers to attacks. 

The existence of several unpatched vulnerabilities impacting Exim mail transfer agent (MTA) installations was disclosed last week, more than one year after they were initially reported to developers. 

Trend Micro’s Zero Day Initiative (ZDI) learned about six Exim vulnerabilities last year and reported the findings to the MTA software’s developers in June 2022. However, Exim developers have only now started working on patches, with accusations being made by both sides.

Exim, a piece of software used to receive and relay emails, is present on hundreds of thousands of servers. Vulnerabilities affecting the software can be highly valuable to threat actors, which have been known to exploit Exim flaws in their attacks. 

ZDI last week released six individual advisories describing the flaws, reported to the company by an anonymous researcher. The most serious of them, rated ‘critical’ and tracked as CVE-2023-42115, can be exploited by a remote, unauthenticated attacker to execute arbitrary code.

Three other flaws, classified as ‘high severity’ and tracked as CVE-2023-42116, CVE-2023-42117 and CVE-2023-42118, can also be exploited for remote code execution without authentication.

The remaining two issues have a lower severity rating and their exploitation can lead to information disclosure.

According to ZDI’s timeline, the vulnerabilities were reported to Exim developers in June 2022 and ZDI reached out for an update in late April 2023, with the bug reports being resent to Exim in May. 

ZDI made its advisories public on September 27 and a public discussion regarding the flaws was initiated late last week on the Openwall mailing list. 

Advertisement. Scroll to continue reading.

Exim is working on patches and says they should become available shortly, though there still seems to be some confusion within Exim on what exactly has been reported via ZDI. Developers claim the vulnerabilities can only be exploited if certain features are used. 

Exim developers have complained that ZDI failed to provide needed clarifications between its initial report in June 2022 and May 2023. 

Some have argued that it has still taken Exim developers a long time to start addressing the flaws, even if it only learned about them in May. 

In response to the Exim team’s complaints, ZDI said, “The ZDI reached out multiple times to the developers regarding multiple bug reports with little progress to show for it. After our disclosure timeline was exceeded by many months, we notified the maintainer of our intent to publicly disclose these bugs, at which time we were told, ‘you do what you do’.” 

Related: NSA: Russian Agents Have Been Hacking Major Email Program

Related: Critical Remote Code Execution Vulnerability Patched in Exim Email Server

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join us as we delve into the transformative potential of AI, predictive ChatGPT-like tools and automation to detect and defend against cyberattacks.


As cybersecurity breaches and incidents escalate, the cyber insurance ecosystem is undergoing rapid and transformational change.


Expert Insights

Related Content


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...


A researcher at IOActive discovered that home security systems from SimpliSafe are plagued by a vulnerability that allows tech savvy burglars to remotely disable...


Patch Tuesday: Microsoft calls attention to a series of zero-day remote code execution attacks hitting its Office productivity suite.


Patch Tuesday: Microsoft warns vulnerability (CVE-2023-23397) could lead to exploitation before an email is viewed in the Preview Pane.


The latest Chrome update brings patches for eight vulnerabilities, including seven reported by external researchers.