Critical Exim Server Vulnerabilities Expose Thousands of Mail Servers to Potential Takeover
Security researchers at the National Institute of Standards and Technology (NIST) have identified critical vulnerabilities in the Exim mail server, potentially allowing remote attackers to gain full control over affected systems. These flaws impact Exim version 4.99 when configured with SQLite hints database support, placing numerous mail servers at risk.
Overview of the Vulnerabilities
The research team uncovered two primary vulnerabilities within Exim’s SQLite database implementation:
1. Incomplete SQL Injection Fix: An earlier patch for CVE-2025-26794 inadequately escapes single-quote characters in database queries. Attackers can exploit this by sending specially crafted SMTP commands containing malicious email addresses embedded with SQL injection payloads.
2. Heap Buffer Overflow: This flaw arises from unvalidated database fields used as array boundaries. When Exim’s bloom filter code processes untrusted data from the database, it can write beyond allocated memory buffers, potentially corrupting up to 1.5 megabytes of heap memory.
Technical Details
The vulnerabilities are characterized as follows:
– CVE-2025-26794: This SQL Injection vulnerability (CWE-89) is rated high in severity. Exploited remotely via SMTP, it allows arbitrary SQL query execution and data exfiltration.
– Heap Buffer Overflow: Pending a CVE assignment, this issue involves CWE-122, CWE-787, and CWE-843. It is deemed critical, with remote exploitation via SMTP leading to heap corruption and potential remote code execution.
Exploitation requires specific configurations:
– Servers must be compiled with SQLite support.
– Utilization of rate-limited Access Control Lists (ACLs) incorporating attacker-controlled data, such as sender addresses.
Configurations most at risk include per_addr mode with explicit sender address keys or unique parameters containing attacker-controlled values.
Potential Impact
While researchers demonstrated heap corruption and memory manipulation, they did not achieve complete remote code execution due to modern security measures like Address Space Layout Randomization (ASLR). However, experts caution that determined attackers with sufficient resources could potentially achieve full system compromise.
Mitigation Measures
Exim maintainers have been informed and are developing security patches. Recommended fixes include:
– Properly escaping single quotes to prevent SQL injection.
– Implementing validation checks for database field sizes before using them as array boundaries.
Administrators using Exim with SQLite hints databases should:
– Monitor for updates and apply patches promptly upon release.
– Consider temporarily disabling SQLite hint database support.
– Restrict ratelimit ACL configurations that use sender addresses until patches are available.
The research team is committed to coordinated disclosure, allowing developers time to create fixes before publicly releasing full exploit details.
Historical Context
Exim has a history of vulnerabilities being exploited by threat actors. In 2019, the Russian state-sponsored hacking group Sandworm exploited a severe Exim vulnerability (CVE-2019-10149) to execute malicious code with root system rights. These attacks began two months after the vulnerability was disclosed and continued for nearly a year.
Conclusion
The discovery of these critical vulnerabilities underscores the importance of proactive security measures and timely patching. Administrators are urged to stay vigilant, apply necessary updates, and implement recommended mitigations to safeguard their systems against potential exploits.
