Researchers have discovered a critical vulnerability in the Exim mail transfer agent, which puts roughly 1.5 million email servers at risk of delivering malware to their users.
Exim is a mail transfer agent (MTA) used on Unix-like operating systems, responsible for routing, delivering, and receiving email messages. As a flexible, and highly configurable agent, Exim is a vastly popular choice among IT teams.
The researchers from security firm Censys found a vulnerability that hackers can use to bypass protections that usually prevent email messages from delivering attachments that can install apps or run code. The vulnerability is tracked as CVE-2024-39929, and carries a severity rating of 9.1/10 (critical).
Not (yet) abused
“I can confirm this bug,” Exim project team member Heiko Schlittermann wrote on a bug-tracking site, ArsTechnica reported. “It looks like a serious security issue to me.”
Censys says out of roughly 6.5 million public-facing SMTP email servers, 4.8 million are running Exim. Furthermore, 1.5 million are running an old, vulnerable version. So far, there have been no reports of in-the-wild abuse of the vulnerability, but now that it is out in the limelight, it’s only a matter of time before threat actors start scanning the internet for vulnerable instances.
To make the attack work, the victims would still need to run the attachment and install the malware. However, threat actors have been running some highly sophisticated social engineering attacks lately, which means the risk of infection is very real.
With phishing still being one of the most popular methods of malware delivery, flawed email servers are a highly-regarded commodity. For example, back in 2020, a Russian state-sponsored threat actor abused an Exim flaw, found almost half a year earlier, to gain access to the email server.
IT teams running Exim should make sure they patch it to 4.98, since this is the first fixed version.