Researchers have discovered a critical vulnerability in the Exim mail transfer agent, putting approximately 1.5 million email servers at risk of sending malware to their users.
Exim is a mail transfer agent (MTA) used on Unix-like operating systems that is responsible for routing, delivering, and receiving email messages. As a flexible and highly configurable agent, Exim is a very popular choice among IT teams.
Researchers at security firm Censys found a vulnerability that hackers can use to bypass protections that typically prevent emails from delivering attachments that can install apps or execute code. The vulnerability is tracked as CVE-2024-39929 and has a severity rating of 9.1/10 (critical).
Not yet abused
“I can confirm this bug,” wrote Heiko Schlittermann, a member of the Exim project team, on a bug tracking site, ArsTechnica reported. “It seems to me to be a serious security problem.”
Censys says that of the approximately 6.5 million public SMTP email servers, 4.8 million are using Exim. Additionally, 1.5 million are using an old, vulnerable version. So far, there have been no reports of the vulnerability being exploited in the wild, but now that it’s in the spotlight, it’s only a matter of time before threat actors start scanning the internet for vulnerable instances.
For the attack to work, victims still need to execute the attachment and install the malware. However, threat actors have been conducting some very sophisticated social engineering attacks lately, meaning the risk of infection is very real.
Phishing remains one of the most popular methods for delivering malware, so flawed email servers are a highly valued commodity. For example, in 2020, a Russian state-sponsored threat actor exploited an Exim vulnerability, discovered nearly half a year earlier, to gain access to the email server.
IT teams using Exim should ensure they update to version 4.98 as this is the first patched version.