A Remote Command Execution (RCE) vulnerability (CVE-2019-10149) in the open source Exim mail transfer agent (MTA) implemented in Unix-based mail servers was publicly disclosed. The vulnerability can be exploited through a malicious email sent to a vulnerable server, and injected commands will typically run as root. This is due to improper validation of the recipient address in the deliver_message() function in /src/deliver.c. Reportedly, Exim servers run almost 57% of the Internet’s email servers, making it a potentially severe threat for organizations implementing these vulnerable instances.

The first attempts to exploit the vulnerability were detected when an IP was observed downloading a malicious payload on vulnerable systems and the same threat actor was seen experimenting with different payloads. The second campaign of attempts seems to be highly sophisticated since it utilizes code that enables self-propagation (worm behavior) of the Exim exploit to other vulnerable servers connected to the Internet. Once compromised, a cryptominer is eventually installed on the Exim servers.

Affected versions:

• Exim versions 4.87 to 4.91

Currently, it was detected that the global count of vulnerable servers stands at 3,033,715. CERT-PH is highly encouraging organizations especially with Philippine-based servers, to check and update systems still using the affected versions.

The Exim organization released a patch (version 4.92) resolving the security issue.