Email Security & Protection , Fraud Management & Cybercrime , Governance & Risk Management
Millions of Exim Servers Still Exposed to Critical Flaw
Nearly 5 Million Servers May Be Affected; Only 82 Have Been PatchedAdministrators have been slow to patch a critical vulnerability in Exim Mail Transfer Agent that enables threat actors to bypass email security filters and deliver malicious attachments directly to user inboxes.
See Also: OnDemand I Cybercriminals Don’t Take the Holidays Off
Exim, a widely used MTA on Unix-like operating systems, serves about 74% of the 6.54 million public-facing SMTP mail servers visible to Censys. The security firm said 4.83 million Exim servers could be vulnerable and that significant concentrations were in the United States, Russia and Canada. As of now, only 82 public-facing servers have updated to the patched release, Exim 4.98, researchers said.
The vulnerability, identified as CVE-2024-39929 with a CVSS score of 9.1, stems from a bug in the parsing of RFC 2231 headers. This flaw could let remote attackers evade filename extension blocking measures, allowing executable attachments to reach end users. If users download or execute these attachments, their systems could be compromised.
Censys disclosed this vulnerability July 4 and detailed its potential impact in a July 10 advisory. The flaw affects Exim versions up to and including 4.97.1.
A proof of concept for exploiting this vulnerability exists, although so far there are no known instances of active exploitation. But researchers warned that the widespread use of Exim MTA could make it a prime target.
Russian cyber actors from the GRU Main Center for Special Technologies, especially Sandworm, are known for exploiting vulnerabilities in Exim mail transfer agent software to seize control of mail servers. This tactic has been used since at least April 2019, the U.S. Cybersecurity and Infrastructure Security Agency reported in 2020. (See: Thousands of Exim Servers Vulnerable to Critical Flaw: Report).
Researchers advised administrators to prioritize upgrading to Exim 4.98 to mitigate this threat. The patch, which fixes the vulnerability, can be found on Exim's GitHub repository. Censys provides queries to identify potentially vulnerable Exim instances, aiding administrators in swiftly detecting and addressing this critical flaw.
Censys also offered two primary queries for identifying exposed Exim servers running vulnerable versions:
- Censys Search Query:
services.software: (product="exim"
and version: [* to 4.97.1]) - Censys ASM Query:
host.services.software: (product="exim"
and version: [* to 4.97.1]) orweb_entity.instances.software: (product="exim"
and version: [* to 4.97.1])
To mitigate the risk, administrators should ensure timely updates to MTA software to maintain robust email security and prevent potential breaches.
Organizations using Exim also need to review the advisory, update their systems and use the provided queries to assess their exposure.