Older Versions of Exim Vulnerable to Remote Command Execution (CVE-2019-10149)

On June 3, maintainers of Exim, the mail transfer agent (MTA) announced on the oss-security mailing list that they received reports from security researchers that older versions of Exim were vulnerable to remote command execution. On June 5, security researchers from Qualys published an abridged advisory on the oss-security mailing list about the vulnerability.

CVE-2019-10149 is a remote command execution vulnerability introduced in Exim version 4.87 which was released on April 6, 2016. It exists in Exim versions 4.87 through 4.91. It was unknowingly patched in Exim version 4.92 in February 2019.

Exploitation under default configurations is possible for a local attacker. However, remote exploitation under default configurations is unreliable. In certain non-default configurations, remote exploitation is also possible.

To learn more, please visit our blog.