⚠ Actively exploited

Added to CISA KEV on 2022-01-10. Federal agencies required to patch by 2022-07-10. Required action: Apply updates per vendor instructions..

CVE-2019-10149 — OS Command Injection in Exim

CWE-78 — OS Command Injection CWE-20 — Improper Input Validation41 documents17 sources

Severity

9.8CRITICALNVD

EPSS

93.9%

top 0.12%

CISA KEV

KEV

Added 2022-01-10

Due 2022-07-10

Exploit

Exploited in wild

Active exploitation observed

Affected products

Debian Exim4 Exim Canonical Ubuntu Linux +1 more

Timeline

PublishedJun 5

KEV addedJan 10

KEV dueJul 10

Latest updateFeb 2

CISA Required Action: Apply updates per vendor instructions.

Description

A flaw was found in Exim versions 4.87 to 4.91 (inclusive). Improper validation of recipient address in deliver_message() function in /src/deliver.c may lead to remote command execution.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HExploitability: 3.9 | Impact: 5.9

Affected Packages3 packages

▶debiandebian/exim4< exim4 4.92~RC3-1 (bookworm)

▶NVDexim/exim4.87 — 4.91

▶CVEListV5exim/exim4.92

Also affects: Debian Linux 9.0, Ubuntu Linux 18.04, 18.10

Patches

Patch: www.openwall.com ↗Patch: www.openwall.com ↗

🔴Vulnerability Details

GHSA

GHSA-5r7w-xvrp-rg22: A flaw was found in Exim versions 4↗2022-05-24

▶

OSV

CVE-2019-10149: A flaw was found in Exim versions 4↗2019-06-05

▶

VulnCheck

Exim Mail Transfer Agent (MTA) Improper Input Validation↗2019

▶

💥Exploits & PoCs

Exploit-DB

Exim 4.87 / 4.91 - Local Privilege Escalation (Metasploit)↗2019-08-26

▶

Exploit-DB

Exim 4.87 - 4.91 - Local Privilege Escalation↗2019-06-17

▶

Exploit-DB

Exim 4.87 < 4.91 - (Local / Remote) Command Execution↗2019-06-05

▶

Metasploit

Exim 4.87 - 4.91 Local Privilege Escalation↗

▶

🔍Detection Rules

Suricata

ET EXPLOIT Possible Exim 4.87-4.91 RCE Attempt Inbound (CVE-2019-10149)↗2019-06-07

▶

📋Vendor Advisories

CISA

Exim Mail Transfer Agent (MTA) Improper Input Validation↗2022-01-10

▶

Ubuntu

Exim vulnerability↗2019-06-05

▶

Red Hat

exim: Remote command execution in deliver_message() function in /src/deliver.c↗2019-06-04

▶

Debian

CVE-2019-10149: exim4 - A flaw was found in Exim versions 4.87 to 4.91 (inclusive). Improper validation ...↗2019

▶

🕵️Threat Intelligence

Qualys

Mutagen Astronomy: From Discovery to CISA Recognition—A Seven-Year Journey↗2026-02-02

▶

Qualys

Mutagen Astronomy: A Linux Vulnerability’s Path to CISA KEV | Qualys↗2026-02-02

▶

Tenable

From Bugs to Breaches: 25 Significant CVEs As MITRE CVE Turns 25↗2024-10-22

▶

Bleepingcomputer

Millions of Exim mail servers exposed to zero-day RCE attacks↗2023-09-29

▶

Tenable

AA23-215A: 2022's Top Routinely Exploited Vulnerabilities↗2023-08-03

▶

💬Community

Bugzilla

CVE-2019-10149 exim: Remote command execution in deliver_message() function in /src/deliver.c [epel-all]↗2019-06-04

▶

Bugzilla

CVE-2019-10149 exim: Remote command execution in deliver_message() function in /src/deliver.c↗2019-05-29

▶