Published: 06/09/2019 Updated: 06/09/2019
CVSS v2 Base Score: 10 | Impact Score: 10 | Exploitability Score: 10
CVSS v3 Base Score: 9.8 | Impact Score: 5.9 | Exploitability Score: 3.9
Vector: AV:N/AC:L/Au:N/C:C/I:C/A:C

Vulnerability Summary

Exim prior to 4.92.2 allows remote malicious users to execute arbitrary code as root via a trailing backslash.

Vulnerability Trend

Affected Products

Vendor Product Versions
EximExim2.10, 2.11, 2.12, 3.00, 3.01, 3.02, 3.03, 3.10, 3.11, 3.12, 3.13, 3.14, 3.15, 3.16, 3.20, 3.21, 3.22, 3.30, 3.31, 3.32, 3.33, 3.34, 3.35, 3.36, 4.00, 4.01, 4.02, 4.03, 4.04, 4.05, 4.10, 4.11, 4.12, 4.14, 4.20, 4.21, 4.22, 4.23, 4.24, 4.30, 4.31, 4.32, 4.33, 4.34, 4.40, 4.41, 4.42, 4.43, 4.44, 4.50, 4.51, 4.52, 4.53, 4.54, 4.60, 4.61, 4.62, 4.63, 4.64, 4.65, 4.66, 4.67, 4.68, 4.69, 4.70, 4.71, 4.72, 4.73, 4.74, 4.75, 4.76, 4.77, 4.80, 4.80.1, 4.82, 4.82.1, 4.85, 4.85.1, 4.85.2, 4.86, 4.86.1, 4.87, 4.87.1, 4.88, 4.89, 4.89.1, 4.90,,, 4.90.1, 4.91, 4.92, 4.92.1
DebianDebian Linux8.0, 9.0, 10

Vendor Advisories

Exim could be made to run programs as an administrator if it received specially crafted network traffic ...
Exim could be made to run programs as an administrator if it received specially crafted network traffic ...
"Zerons" and Qualys discovered that a buffer overflow triggerable in the TLS negotiation code of the Exim mail transport agent could result in the execution of arbitrary code with root privileges For the oldstable distribution (stretch), this problem has been fixed in version 489-2+deb9u6 For the stable distribution (buster), this problem has be ...
Exim before 4922 allows remote attackers to execute arbitrary code as root via a trailing backslash(CVE-2019-15846 ) ...
Impact: Critical Public Date: 2019-09-06 CWE: CWE-119->CWE-787 Bugzilla: 1748397: CVE-2019-15846 exi ...
Arch Linux Security Advisory ASA-201909-3 ========================================= Severity: Critical Date : 2019-09-06 CVE-ID : CVE-2019-15846 Package : exim Type : arbitrary command execution Remote : Yes Link : securityarchlinuxorg/AVG-1037 Summary ======= The package exim before version 4922-1 is vulnerable to arbitra ...
Exim before 4922 allows remote attackers to execute arbitrary code as root via a trailing backslash ...

Mailing Lists

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 - ------------------------------------------------------------------------- Debian Security Advisory DSA-4517-1 security () debian org wwwdebianorg/security/ Moritz Muehlenhoff September 06, 2019 wwwdebianorg/security/faq ...
CVE ID: CVE-2019-15846 Credits: Zerons <sironhide0null () gmail com>, Qualys Version(s): all versions up to and including 4921 Issue: The SMTP Delivery process in all¹ versions up to and including Exim 4921 has a Buffer Overflow In the default runtime configuration, this is exploitable with crafted S ...
*** Note: EMBARGO is still in effect! *** *** Distros must not publish any detail yet *** Head up! Security release ahead! CVE ID: CVE-2019-15846 Version(s): up to and including 4921 Issue: A local or remote attacker can execute programs with root privileges Details: Will be made public at CRD Currently there is ...
Shouldn't this be in connect ACL? How would the deny in MAIL FROM prevent the exploit? What I have understand is that there is exploit in the SNI of the TLS negotiation, thus the whole connect attempt must be rejected right? -----Ursprungligt meddelande----- Från: Exim-users <exim-users-bounces+sebastian=sebbeeu () exim org> För Heiko Sc ...

Github Repositories

Recent Articles

Stop us if you've heard this one before: Yet another critical flaw threatens Exim servers
The Register • Shaun Nichols in San Francisco • 30 Sep 2019

Remote code flaw sparks calls for major updates

Amins of Linux and Unix boxes running Exim would be well-advised to update the software following the disclosure of another critical security flaw.
The Exim 4.92.3 patch, released on September 28th, includes a fix to close up the CVE-2019-16928 flaw.
Discovered by bug-hunters with the QAX A-Team, the vulnerability is caused by a buffer overflow error that occurs when Exim processes an extremely long string in an Extended HELO (EHLO) Extended Simple Mail Transfer Protocol (ESMTP) comm...

New Exim Vulnerability Exposes Servers to DoS Attacks, RCE Risks
BleepingComputer • Sergiu Gatlan • 30 Sep 2019

A new critical vulnerability in the Exim mail transfer agent (MTA) software was patched to prevent denial of service (DoS) or possibly remote code execution attacks.
The security flaw tracked as CVE-2019-16928 and reported by QAX-A-TEAM has been fixed in Exim version 4.92.3, also released today, and it impacts all versions 4.92 up to (and including) 4.92.2.
"There is a heap-based buffer overflow in string_vformat (string.c). The currently known exploit uses a extraordinary long EH...

Critical Exim Flaw Opens Millions of Servers to Takeover
Threatpost • Lindsey O'Donnell • 09 Sep 2019

Researchers are urging users to upgrade their Exim servers immediately after millions of servers were found to be vulnerable to a critical flaw that could allow a remote, unauthenticated attacker to take full control of them.
Exim, which is free software used on Unix-like operating systems (including Linux or Mac OSX) serves as a mail transfer agent that manages mail routing services for organizations. According to Shodan, Exim is the most used mail transfer agent globally and...

Exim marks the spot… of remote code execution: Patch due out today for 'give me root' flaw in mail server
The Register • Shaun Nichols in San Francisco • 06 Sep 2019

Install incoming update to avoid having your boxes hijacked

The widely used Exim email server software is due to be patched today to close a critical security flaw that can be exploited to potentially gain root-level access to the machine.
The programming blunder can be abused over the network, or internet if the server is public facing, or by logged-in users to completely commandeer vulnerable installations, steal or tamper with data, install spyware, and so on.
The vulnerability, designated CVE-2019-15846, has been kept under tight wraps. D...

Critical Exim TLS Flaw Lets Attackers Remotely Execute Commands as Root
BleepingComputer • Sergiu Gatlan • 06 Sep 2019

The Exim mail transfer agent (MTA) software is impacted by a critical severity vulnerability present in versions 4.80 up to and including 4.92.1. 
The bug allows local or unauthenticated remote attackers to execute programs with root privileges on servers that accept TLS connections.
The flaw tracked as CVE-2019-15846 — initially reported by 'Zerons' on July 21 and analyzed by Qualys' research team — is "exploitable by sending an SNI ending in a backslash-null sequence during...