CVE-2019-10149
published 2019-06-05CVE-2019-10149: A flaw was found in Exim versions 4.87 to 4.91 (inclusive). Improper validation of recipient address in deliver_message() function in /src/deliver.c may lead…
PriorityP198critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
KEVITWEXPLOITInitial access
CISA Known Exploited Vulnerabilitydue 2022-07-10
Exploited in the wild
EPSS
99.96%
100.0th percentile
A flaw was found in Exim versions 4.87 to 4.91 (inclusive). Improper validation of recipient address in deliver_message() function in /src/deliver.c may lead to remote command execution.
Affected
6 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| canonical | ubuntu_linux | — | — |
| canonical | ubuntu_linux | — | — |
| debian | debian_linux | — | — |
| debian | exim4 | < exim4 4.92~RC3-1 (bookworm) | exim4 4.92~RC3-1 (bookworm) |
| exim | exim | — | — |
| exim | exim | 4.87 – 4.91 | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Check Point IPS signature name for detecting CVE-2019-10149 exploitation attempts: 'Exim Mail Server Remote Code Execution (CVE-2019-10149)'. ↗
- →Exploitation only requires sending a malicious email to a vulnerable Exim server; injected commands typically run as root. ↗
- →Use Qualys QID 50092 (generic remote Potential QID) to identify vulnerable Exim hosts remotely. ↗
- ·Exploitation speed varies by Exim configuration — some configurations allow faster exploitation while others may require up to a week. ↗
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv3.09.0CRITICALCVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H
nvdv2.010.0CRITICALAV:N/AC:L/Au:N/C:C/I:C/A:C
osv9.8CRITICAL
vulncheck9.8CRITICAL
cisa9.8CRITICAL
vendor_debian9.8CRITICAL
vendor_redhat9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
CISA
Exim Mail Transfer Agent (MTA) Improper Input Validation
cisa·2022-01-10·CVSS 9.8
CVE-2019-10149 [CRITICAL] CWE-78 Exim Mail Transfer Agent (MTA) Improper Input Validation
Vulnerability: Exim Mail Transfer Agent (MTA) Improper Input Validation
Affected: Exim Mail Transfer Agent (MTA)
Improper validation of recipient address in deliver_message() function in /src/deliver.c may lead to remote command execution.
Required Action: Apply updates per vendor instructions.
Notes: https://nvd.nist.gov/vuln/detail/CVE-2019-10149
Remediation Due Date: 2022-07-10
Ubuntu
Exim vulnerability
vendor_ubuntu·2019-06-05
CVE-2019-10149 Exim vulnerability
Title: Exim vulnerability
Summary: Exim could be made to run commands if it received specially crafted network
traffic.
It was discovered that Exim incorrectly handled certain decoding
operations. A remote attacker could possibly use this issue to execute
arbitrary commands.
Instructions: In general, a standard system update will make all the necessary changes.
Red Hat
exim: Remote command execution in deliver_message() function in /src/deliver.c
vendor_redhat·2019-06-04·CVSS 9.8
CVE-2019-10149 [CRITICAL] CWE-78 exim: Remote command execution in deliver_message() function in /src/deliver.c
exim: Remote command execution in deliver_message() function in /src/deliver.c
A flaw was found in Exim versions 4.87 to 4.91 (inclusive). Improper validation of recipient address in deliver_message() function in /src/deliver.c may lead to remote command execution.
A flaw was found in Exim, where improper validation of the recipient address in the deliver_message() function in /src/deliver.c occurred. An attacker could use this flaw to achieve remote command execution.
Statement: Exim is vulnerable since version 4.87, therefore the version of exim package (exim-4.63) shipped with Red Hat Enterprise Linux 5 is not affected by this flaw.
Package: exim (Red Hat Enterprise Linux 5) - Not affected
Debian
CVE-2019-10149: exim4 - A flaw was found in Exim versions 4.87 to 4.91 (inclusive). Improper validation ...
vendor_debian·2019·CVSS 9.8
CVE-2019-10149 [CRITICAL] CVE-2019-10149: exim4 - A flaw was found in Exim versions 4.87 to 4.91 (inclusive). Improper validation ...
A flaw was found in Exim versions 4.87 to 4.91 (inclusive). Improper validation of recipient address in deliver_message() function in /src/deliver.c may lead to remote command execution.
Scope: local
bookworm: resolved (fixed in 4.92~RC3-1)
bullseye: resolved (fixed in 4.92~RC3-1)
forky: resolved (fixed in 4.92~RC3-1)
sid: resolved (fixed in 4.92~RC3-1)
trixie: resolved (fixed in 4.92~RC3-1)
GHSA
GHSA-5r7w-xvrp-rg22: A flaw was found in Exim versions 4
ghsa_unreviewed·2022-05-24
CVE-2019-10149 [CRITICAL] CWE-20 GHSA-5r7w-xvrp-rg22: A flaw was found in Exim versions 4
A flaw was found in Exim versions 4.87 to 4.91 (inclusive). Improper validation of recipient address in deliver_message() function in /src/deliver.c may lead to remote command execution.
OSV
CVE-2019-10149: A flaw was found in Exim versions 4
osv·2019-06-05·CVSS 9.8
CVE-2019-10149 [CRITICAL] CVE-2019-10149: A flaw was found in Exim versions 4
A flaw was found in Exim versions 4.87 to 4.91 (inclusive). Improper validation of recipient address in deliver_message() function in /src/deliver.c may lead to remote command execution.
VulnCheck
Exim Mail Transfer Agent (MTA) Improper Input Validation
vulncheck·2019·CVSS 9.8
CVE-2019-10149 [CRITICAL] CWE-78 Exim Mail Transfer Agent (MTA) Improper Input Validation
Exim Mail Transfer Agent (MTA) Improper Input Validation
Improper validation of recipient address in deliver_message() function in /src/deliver.c may lead to remote command execution.
Affected: Exim Mail Transfer Agent (MTA)
Required Action: Apply updates per vendor instructions.
Exploitation References: https://blog.sonicwall.com/en-us/2019/12/top-cves-exploited-in-the-wild-in-the-year-2019/; https://media.defense.gov/2020/May/28/2002306626/-1/-1/0/CSA%20Sandworm%20Actors%20Exploiting%20Vulnerability%20in%20Exim%20Transfer%20Agent%2020200528.pdf; https://media.defense.gov/2020/May/28/2002306626/-1/-1/0/CSA-Sandworm-Actors-Exploiting-Vulnerability-in-Exim-Transfer-Agent-20200528.pdf; https://us-cert.cisa.gov/ncas/current-activity/2020/05/28/nsa-releases-advisory-sandworm-actors-exploit
Suricata
ET EXPLOIT Possible Exim 4.87-4.91 RCE Attempt Inbound (CVE-2019-10149)
suricata·2019-06-07·CVSS 9.8
CVE-2019-10149 [CRITICAL] ET EXPLOIT Possible Exim 4.87-4.91 RCE Attempt Inbound (CVE-2019-10149)
ET EXPLOIT Possible Exim 4.87-4.91 RCE Attempt Inbound (CVE-2019-10149)
Rule: alert smtp any any -> $SMTP_SERVERS any (msg:"ET EXPLOIT Possible Exim 4.87-4.91 RCE Attempt Inbound (CVE-2019-10149)"; flow:established,to_server; content:"RCPT|20|TO"; content:"|24 7b|run|7b|"; within:12; fast_pattern; content:"|7d 7d 40|"; distance:0; reference:url,www.qualys.com/2019/06/05/cve-2019-10149/return-wizard-rce-exim.txt; classtype:attempted-admin; sid:2027442; rev:4; metadata:attack_target SMTP_Server, created_at 2019_06_07, cve CVE_2019_10149, deployment Perimeter, performance_impact Low, confidence Medium, signature_severity Major, tag CISA_KEV, updated_at 2020_08_19;)
Exploit-DB
Exim 4.87 / 4.91 - Local Privilege Escalation (Metasploit)
exploitdb·2019-08-26·CVSS 9.8
CVE-2019-10149 [CRITICAL] Exim 4.87 / 4.91 - Local Privilege Escalation (Metasploit)
Exim 4.87 / 4.91 - Local Privilege Escalation (Metasploit)
---
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'expect'
class MetasploitModule 'Exim 4.87 - 4.91 Local Privilege Escalation',
'Description' => %q{
This module exploits a flaw in Exim versions 4.87 to 4.91 (inclusive).
Improper validation of recipient address in deliver_message()
function in /src/deliver.c may lead to command execution with root privileges
(CVE-2019-10149).
},
'License' => MSF_LICENSE,
'Author' =>
[
'Qualys', # Discovery and PoC (@qualys)
'Dennis Herrmann', # Working exploit (@dhn)
'Marco Ivaldi', # Working exploit (@0xdea)
'Guillaume André' # Metasploit module (@yaumn_)
],
'DisclosureDate' => '2019-06-05',
'Pl
Exploit-DB
Exim 4.87 - 4.91 - Local Privilege Escalation
exploitdb·2019-06-17·CVSS 9.8
CVE-2019-10149 [CRITICAL] Exim 4.87 - 4.91 - Local Privilege Escalation
Exim 4.87 - 4.91 - Local Privilege Escalation
---
#!/bin/bash
#
# raptor_exim_wiz - "The Return of the WIZard" LPE exploit
# Copyright (c) 2019 Marco Ivaldi
#
# A flaw was found in Exim versions 4.87 to 4.91 (inclusive).
# Improper validation of recipient address in deliver_message()
# function in /src/deliver.c may lead to remote command execution.
# (CVE-2019-10149)
#
# This is a local privilege escalation exploit for "The Return
# of the WIZard" vulnerability reported by the Qualys Security
# Advisory team.
#
# Credits:
# Qualys Security Advisory team (kudos for your amazing research!)
# Dennis 'dhn' Herrmann (/dev/tcp technique)
#
# Usage (setuid method):
# $ id
# uid=1000(raptor) gid=1000(raptor) groups=1000(raptor) [...]
# $ ./raptor_exim_wiz -m setuid
# Preparing setuid shell hel
Exploit-DB
Exim 4.87 < 4.91 - (Local / Remote) Command Execution
exploitdb·2019-06-05·CVSS 9.8
CVE-2019-10149 [CRITICAL] Exim 4.87 < 4.91 - (Local / Remote) Command Execution
Exim 4.87 address));
6130 deliver_domain = expand_string(
6131 string_sprintf("${domain:%s}", new->address));
6132
6133 (void) event_raise(event_action,
6134 US"msg:fail:internal", new->message);
6135
6136 deliver_localpart = save_local;
6137 deliver_domain = save_domain;
6138 }
6139 #endif
Because expand_string() recognizes the "${run{ }}"
expansion item, and because new->address is the recipient of the mail
that is being delivered, a local attacker can simply send a mail to
"${run{...}}@localhost" (where "localhost" is one of Exim's
local_domains) and execute arbitrary commands, as root
(deliver_drop_privilege is false, by default):
[...]
Remote exploitation
Our local-exploitation method does not work remotely, because the
"verify = recipient" ACL (Access-Control List) in Exim's def
Metasploit
Exim 4.87 - 4.91 Local Privilege Escalation
metasploit·CVSS 9.8
CVE-2019-10149 [CRITICAL] Exim 4.87 - 4.91 Local Privilege Escalation
Exim 4.87 - 4.91 Local Privilege Escalation
This module exploits a flaw in Exim versions 4.87 to 4.91 (inclusive). Improper validation of recipient address in deliver_message() function in /src/deliver.c may lead to command execution with root privileges (CVE-2019-10149).
Qualys
Mutagen Astronomy: From Discovery to CISA Recognition—A Seven-Year Journey
blogs_qualys·2026-02-02·CVSS 7.8
CVE-2018-14634 [HIGH] Mutagen Astronomy: From Discovery to CISA Recognition—A Seven-Year Journey
## Table of Contents
Introduction
Why This Matters Now
Looking Back: The Original Discovery
Guidance for Security Teams
A Note on Our Research Mission
Conclusion
Frequently Asked Questions (FAQs)
## Introduction
On January 26, 2026, the Cybersecurity and Infrastructure Security Agency (CISA) added CVE-2018-14634 to its Known Exploited Vulnerabilities (KEV) catalog . The same vulnerability was discovered by the Qualys Threat Research Unit (TRU) in September 2018.
We nicknamed it “Mutagen Astronomy” as a tribute to the 1992 film Sneakers . In that movie, the phrase “Setec Astronomy” is revealed as an anagram for “Too Many Secrets.” Following that tradition, “Mutagen Astronomy” is our anagram for “Too Many Arguments”, which precisely captures the technical root cause of this vulnera
Qualys
Mutagen Astronomy: A Linux Vulnerability’s Path to CISA KEV | Qualys
blogs_qualys·2026-02-02·CVSS 7.8
CVE-2018-14634 [HIGH] Mutagen Astronomy: A Linux Vulnerability’s Path to CISA KEV | Qualys
#### Table of Contents
- Introduction
- Why This Matters Now
- Looking Back: The Original Discovery
- Guidance for Security Teams
- A Note on Our Research Mission
- Conclusion
- Frequently Asked Questions (FAQs)
## Introduction
On January 26, 2026, the Cybersecurity and Infrastructure Security Agency (CISA) added CVE-2018-14634 to its Known Exploited Vulnerabilities (KEV) catalog. The same vulnerability was discovered by the Qualys Threat Research Unit (TRU) in September 2018.
We nicknamed it “Mutagen Astronomy” as a tribute to the 1992 film Sneakers. In that movie, the phrase “Setec Astronomy” is revealed as an anagram for “Too Many Secrets.” Following that tradition, “Mutagen Astronomy” is our anagram for “Too Many Arguments”, which precisely captures the technical root cause of this
Tenable
From Bugs to Breaches: 25 Significant CVEs As MITRE CVE Turns 25
blogs_tenable·2024-10-22
From Bugs to Breaches: 25 Significant CVEs As MITRE CVE Turns 25
## Cloud Exposure
Tenable Cloud Security (CNAPP) Request a demo
Tenable Cloud Vulnerability Management Request a demo
Tenable CIEM Request a demo
Secure your cloud
## Vulnerability Exposure
Tenable Vulnerability Management Try for free
Tenable Security Center Request a demo
Tenable Web App Scanning Try for free
Tenable Patch Management Request a demo
Tenable Enclave Security Request a demo
Tenable Attack Surface Management Request a demo
Tenable Nessus Try for free
## AI Exposure
Tenable AI Exposure Request a demo
## OT/IoT Exposure
Tenable OT Security Request a demo
## Identity Exposure
Tenable Identity Exposure Request a demo
## Business needs
Active Directory
AI Security Posture Management (AI-SPM)
AWS security
Azure security
Cloud Security Posture Man
Bleepingcomputer
Millions of Exim mail servers exposed to zero-day RCE attacks
blogs_bleepingcomputer·2023-09-29·CVSS 9.8
CVE-2023-42115 [CRITICAL] Millions of Exim mail servers exposed to zero-day RCE attacks
## Millions of Exim mail servers exposed to zero-day RCE attacks
## Sergiu Gatlan
A critical zero-day vulnerability in all versions of Exim mail transfer agent (MTA) software can let unauthenticated attackers gain remote code execution (RCE) on Internet-exposed servers.
Found by an anonymous security researcher and disclosed through Trend Micro's Zero Day Initiative (ZDI), the security bug (CVE-2023-42115) is due to an Out-of-bounds Write weakness found in the SMTP service.
While this type of issue can lead to software crashes or corruption of data following successful exploitation, it can also be abused by attackers for code or command execution on vulnerable servers.
"The specific flaw exists within the smtp service, which listens on TCP port 25 by default," a ZDI security advisory
Tenable
AA23-215A: 2022's Top Routinely Exploited Vulnerabilities
blogs_tenable·2023-08-03
AA23-215A: 2022's Top Routinely Exploited Vulnerabilities
## Cloud Exposure
Tenable Cloud Security (CNAPP) Request a demo
Tenable Cloud Vulnerability Management Request a demo
Tenable CIEM Request a demo
Secure your cloud
## Vulnerability Exposure
Tenable Vulnerability Management Try for free
Tenable Security Center Request a demo
Tenable Web App Scanning Try for free
Tenable Patch Management Request a demo
Tenable Enclave Security Request a demo
Tenable Attack Surface Management Request a demo
Tenable Nessus Try for free
## AI Exposure
Tenable AI Exposure Request a demo
## OT/IoT Exposure
Tenable OT Security Request a demo
## Identity Exposure
Tenable Identity Exposure Request a demo
## Business needs
Active Directory
AI Security Posture Management (AI-SPM)
AWS security
Azure security
Cloud Security Posture Man
Tenable
Sandworm APT Deploys New SwiftSlicer Wiper Using Active Directory Group Policy
blogs_tenable·2023-01-27
Sandworm APT Deploys New SwiftSlicer Wiper Using Active Directory Group Policy
## Cloud Exposure
Tenable Cloud Security (CNAPP) Request a demo
Tenable Cloud Vulnerability Management Request a demo
Tenable CIEM Request a demo
Secure your cloud
## Vulnerability Exposure
Tenable Vulnerability Management Try for free
Tenable Security Center Request a demo
Tenable Web App Scanning Try for free
Tenable Patch Management Request a demo
Tenable Enclave Security Request a demo
Tenable Attack Surface Management Request a demo
Tenable Nessus Try for free
## AI Exposure
Tenable AI Exposure Request a demo
## OT/IoT Exposure
Tenable OT Security Request a demo
## Identity Exposure
Tenable Identity Exposure Request a demo
## Business needs
Active Directory
AI Security Posture Management (AI-SPM)
AWS security
Azure security
Cloud Security Posture Man
Qualys
Russia-Ukraine Crisis: How to Strengthen Your Security Posture to Protect against Cyber Attack, based on CISA Guidelines
blogs_qualys·2022-02-26
Russia-Ukraine Crisis: How to Strengthen Your Security Posture to Protect against Cyber Attack, based on CISA Guidelines
## Table of Contents
Protecting Customer Data on Qualys Cloud Platform
Urgent: Assess and Heighten Your Security Posture
Step 1: Monitor Your Shodan/Internet Exposed Assets
Step 2: Detect, Prioritize and Remediate CISAs Catalog ofKnown Exploited Vulnerabilities
Step 3: Protect Your Cloud Services and Office 365
Step 4: Continuously Detect any Potential Threats and Attacks
Take Action to Learn More about How to Strengthen Your Defenses
CISA has created Shields Up as a response to the Russian invasion of Ukraine. Qualys is responding with additional security, monitoring and governance measures. This blog details how and what our enterprise customers can do to immediately strengthen their security posture and meet CISA’s recommendations.
With the invasion of Ukraine by Russia, the U.
Tenable
Government Advisories Warn of APT Activity Resulting from Russian Invasion of Ukraine
blogs_tenable·2022-02-24
Government Advisories Warn of APT Activity Resulting from Russian Invasion of Ukraine
## Cloud Exposure
Tenable Cloud Security (CNAPP) Request a demo
Tenable Cloud Vulnerability Management Request a demo
Tenable CIEM Request a demo
Secure your cloud
## Vulnerability Exposure
Tenable Vulnerability Management Try for free
Tenable Security Center Request a demo
Tenable Web App Scanning Try for free
Tenable Patch Management Request a demo
Tenable Enclave Security Request a demo
Tenable Attack Surface Management Request a demo
Tenable Nessus Try for free
## AI Exposure
Tenable AI Exposure Request a demo
## OT/IoT Exposure
Tenable OT Security Request a demo
## Identity Exposure
Tenable Identity Exposure Request a demo
## Business needs
Active Directory
AI Security Posture Management (AI-SPM)
AWS security
Azure security
Cloud Security Posture Man
Qualys
Managing CISA Known Exploited Vulnerabilities with Qualys VMDR | Qualys
blogs_qualys·2022-02-23
Managing CISA Known Exploited Vulnerabilities with Qualys VMDR | Qualys
#### Table of Contents
- Situation
- Directive Scope
- CISA Catalog of Known Exploited Vulnerabilities
- Detect CISA Vulnerabilities Using Qualys VMDR
- CISA Exploited RTI
- Detailed Operational Dashboard
- Remediation
- Federal Enterprises and Agencies Can Act Now
- Summary
- Getting Started
CISA released a directive in November 2021, recommending urgent and prioritized remediation of actively exploited vulnerabilities. Both government agencies and corporations should heed this advice. This blog outlines how Qualys Vulnerability Management, Detection & Response can be used by any organization to respond to this directive efficiently and effectively.
## Situation
Last November 2021, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) released a Binding Operational Directiv
Unit42
Russia-Ukraine Cyberattacks (Updated): How to Protect Against Related Cyberthreats Including DDoS, HermeticWiper, Gamaredon, Website Defacement, Phishing and Scams
blogs_unit42·2022-02-22
Russia-Ukraine Cyberattacks (Updated): How to Protect Against Related Cyberthreats Including DDoS, HermeticWiper, Gamaredon, Website Defacement, Phishing and Scams
Threat Research Center
Threat Research
Malware
## Russia-Ukraine Cyberattacks (Updated): How to Protect Against Related Cyberthreats Including DDoS, HermeticWiper, Gamaredon, Website Defacement, Phishing and Scams
Unit 42
Published: February 22, 2022
Malware
Threat Research
DDoS
Defacement
Gamaredon
HermeticWiper
Nation-state
Russia
Trident Ursa
Ukraine
WhisperGate
## Executive Summary
Over the past several weeks, Russia-Ukraine cyber activity has escalated substantially. Beginning on Feb. 15, a series of distributed denial of service (DDoS) attacks commenced. These attacks have continued over the past week, impacting both the Ukrainian government and banking institutions. On Feb. 23, a new variant of wiper malware named HermeticWiper was discovered in Ukraine. Shortl
Unit42
Russia-Ukraine Cyberattacks (Updated): How to Protect Against Related Cyberthreats Including DDoS, HermeticWiper, Gamaredon, Website Defacement, Phishing and Scams
blogs_unit42·2022-02-22
Russia-Ukraine Cyberattacks (Updated): How to Protect Against Related Cyberthreats Including DDoS, HermeticWiper, Gamaredon, Website Defacement, Phishing and Scams
## Executive Summary
Over the past several weeks, Russia-Ukraine cyber activity has escalated substantially. Beginning on Feb. 15, a series of distributed denial of service (DDoS) attacks commenced. These attacks have continued over the past week, impacting both the Ukrainian government and banking institutions. On Feb. 23, a new variant of wiper malware named HermeticWiper was discovered in Ukraine. Shortly after, a new round of website defacement attacks were also observed impacting Ukrainian government organizations.
Consistent with our previous reporting on the topic, several western governments have issued recommendations for their populations to prepare for cyberattacks that could disrupt, disable or destroy critical infrastructure. We have already observed an increase in Russian c
Tenable
CVE-2020-4006: VMware Command Injection Flaw Exploited by Russian State-Sponsored Threat Actors
blogs_tenable·2020-12-08·CVSS 9.1
[CRITICAL] CVE-2020-4006: VMware Command Injection Flaw Exploited by Russian State-Sponsored Threat Actors
## Cloud Exposure
Tenable Cloud Security (CNAPP) Request a demo
Tenable Cloud Vulnerability Management Request a demo
Tenable CIEM Request a demo
Secure your cloud
## Vulnerability Exposure
Tenable Vulnerability Management Try for free
Tenable Security Center Request a demo
Tenable Web App Scanning Try for free
Tenable Patch Management Request a demo
Tenable Enclave Security Request a demo
Tenable Attack Surface Management Request a demo
Tenable Nessus Try for free
## AI Exposure
Tenable AI Exposure Request a demo
## OT/IoT Exposure
Tenable OT Security Request a demo
## Identity Exposure
Tenable Identity Exposure Request a demo
## Business needs
Active Directory
AI Security Posture Management (AI-SPM)
AWS security
Azure security
Cloud Security Posture Man
Tenable
Government Agencies Warn of State-Sponsored Actors Exploiting Publicly Known Vulnerabilities
blogs_tenable·2020-10-23
Government Agencies Warn of State-Sponsored Actors Exploiting Publicly Known Vulnerabilities
## Cloud Exposure
Tenable Cloud Security (CNAPP) Request a demo
Tenable Cloud Vulnerability Management Request a demo
Tenable CIEM Request a demo
Secure your cloud
## Vulnerability Exposure
Tenable Vulnerability Management Try for free
Tenable Security Center Request a demo
Tenable Web App Scanning Try for free
Tenable Patch Management Request a demo
Tenable Enclave Security Request a demo
Tenable Attack Surface Management Request a demo
Tenable Nessus Try for free
## AI Exposure
Tenable AI Exposure Request a demo
## OT/IoT Exposure
Tenable OT Security Request a demo
## Identity Exposure
Tenable Identity Exposure Request a demo
## Business needs
Active Directory
AI Security Posture Management (AI-SPM)
AWS security
Azure security
Cloud Security Posture Man
Securelist
APT trends report Q2 2020
blogs_securelist·2020-07-29
APT trends report Q2 2020
Table of Contents
The most remarkable findings
Russian-speaking activity
Chinese-speaking activity
Middle East
Southеast Asia and Korean Peninsula
Other interesting discoveries
Final thoughts
Authors
GReAT
For more than three years, the Global Research and Analysis Team (GReAT) at Kaspersky has been publishing quarterly summaries of advanced persistent threat (APT) activity. The summaries are based on our threat intelligence research and provide a representative snapshot of what we have published and discussed in greater detail in our private APT reports. They are designed to highlight the significant events and findings that we feel people should be aware of.
This is our latest installment, focusing on activities that we observed during Q2 2020.
Readers who would like to learn
Securelist
APT trends report Q2 2020
blogs_securelist·2020-07-29
APT trends report Q2 2020
Table of Contents
- The most remarkable findings
- Russian-speaking activity
- Chinese-speaking activity
- Middle East
- Southеast Asia and Korean Peninsula
- Other interesting discoveries
- Final thoughts
Authors
- GReAT
For more than three years, the Global Research and Analysis Team (GReAT) at Kaspersky has been publishing quarterly summaries of advanced persistent threat (APT) activity. The summaries are based on our threat intelligence research and provide a representative snapshot of what we have published and discussed in greater detail in our private APT reports. They are designed to highlight the significant events and findings that we feel people should be aware of.
This is our latest installment, focusing on activities that we observed during Q2 2020.
Readers who would li
Checkpoint
1st June – Threat Intelligence Bulletin
blogs_checkpoint·2020-06-01·CVSS 9.8
CVE-2019-10149 [CRITICAL] 1st June – Threat Intelligence Bulletin
Latest Publications
CPR Podcast Channel
AI Research
Web 3.0 Security
Intelligence Reports
ThreatCloud AI
Threat Intelligence & Research
Zero Day Protection
Sandblast File Analysis
About Us
SUBSCRIBE
2026
2025
2024
2023
2022
2021
2020
2019
2018
2017
2016
## 1st June – Threat Intelligence Bulletin
For the latest discoveries in cyber research for the week of 1st June 2020, please download our Threat Intelligence Bulletin .
Top Attacks and Breaches
The US NSA has warned that Russia’s Sandworm APT group, an arm of Russian military intelligence, has been exploiting a vulnerability in the Exim mail traffic agent since August of last year, giving it remote code execution abilities. Sandworm is believed to have been responsible for the Ukraine grid disruptions in 2015.
C
Qualys
NSA Announces Sandworm Actors Exploiting Exim MTA Vulnerability (CVE-2019-10149)
blogs_qualys·2020-05-29·CVSS 9.8
CVE-2019-10149 [CRITICAL] NSA Announces Sandworm Actors Exploiting Exim MTA Vulnerability (CVE-2019-10149)
The Exim MTA vulnerability, initially reported by Qualys in May 2019, is currently being exploited in the wild. Recently, the US National Security Agency (NSA) announced that Sandworm actors (Russian hacker group) have been actively exploiting the Exim Mail Transfer Agent vulnerability.
Qualys released a blog post last year describing how to identify assets that are impacted by this vulnerability in your environment: Exim MTA Vulnerability (The Return of the WIZard – CVE-2019-10149)
## Sandworm Attacks
Exim MTA vulnerability could be exploited by sending a malicious email to the server, allowing an attacker to run code on the server remotely. This vulnerability can lead to Remote Command Injection, and is currently being actively attacked in the wild.
NSA mentioned Sandworm actors have
Qualys
NSA Announces Sandworm Actors Exploiting Exim MTA Vulnerability (CVE-2019-10149) | Qualys
blogs_qualys·2020-05-29·CVSS 9.8
CVE-2019-10149 [CRITICAL] NSA Announces Sandworm Actors Exploiting Exim MTA Vulnerability (CVE-2019-10149) | Qualys
The Exim MTA vulnerability, initially reported by Qualys in May 2019, is currently being exploited in the wild. Recently, the US National Security Agency (NSA) announced that Sandworm actors (Russian hacker group) have been actively exploiting the Exim Mail Transfer Agent vulnerability.
Qualys released a blog post last year describing how to identify assets that are impacted by this vulnerability in your environment: Exim MTA Vulnerability (The Return of the WIZard – CVE-2019-10149)
### Sandworm Attacks
Exim MTA vulnerability could be exploited by sending a malicious email to the server, allowing an attacker to run code on the server remotely. This vulnerability can lead to Remote Command Injection, and is currently being actively attacked in the wild.
NSA mentioned Sandworm actors hav
Tenable
How VPR Helped Prioritize the Most Dangerous CVEs in 2019
blogs_tenable·2020-04-30
How VPR Helped Prioritize the Most Dangerous CVEs in 2019
## Cloud Exposure
Tenable Cloud Security (CNAPP) Request a demo
Tenable Cloud Vulnerability Management Request a demo
Tenable CIEM Request a demo
Secure your cloud
## Vulnerability Exposure
Tenable Vulnerability Management Try for free
Tenable Security Center Request a demo
Tenable Web App Scanning Try for free
Tenable Patch Management Request a demo
Tenable Enclave Security Request a demo
Tenable Attack Surface Management Request a demo
Tenable Nessus Try for free
## AI Exposure
Tenable AI Exposure Request a demo
## OT/IoT Exposure
Tenable OT Security Request a demo
## Identity Exposure
Tenable Identity Exposure Request a demo
## Business needs
Active Directory
AI Security Posture Management (AI-SPM)
AWS security
Azure security
Cloud Security Posture Man
Tenable
How COVID-19 Response Is Expanding the Cyberattack Surface
blogs_tenable·2020-03-30
How COVID-19 Response Is Expanding the Cyberattack Surface
## Cloud Exposure
Tenable Cloud Security (CNAPP) Request a demo
Tenable Cloud Vulnerability Management Request a demo
Tenable CIEM Request a demo
Secure your cloud
## Vulnerability Exposure
Tenable Vulnerability Management Try for free
Tenable Security Center Request a demo
Tenable Web App Scanning Try for free
Tenable Patch Management Request a demo
Tenable Enclave Security Request a demo
Tenable Attack Surface Management Request a demo
Tenable Nessus Try for free
## AI Exposure
Tenable AI Exposure Request a demo
## OT/IoT Exposure
Tenable OT Security Request a demo
## Identity Exposure
Tenable Identity Exposure Request a demo
## Business needs
Active Directory
AI Security Posture Management (AI-SPM)
AWS security
Azure security
Cloud Security Posture Man
Tenable
CVE-2019-16928: Critical Buffer Overflow Flaw in Exim is Remotely Exploitable
blogs_tenable·2019-09-30·CVSS 9.8
[CRITICAL] CVE-2019-16928: Critical Buffer Overflow Flaw in Exim is Remotely Exploitable
## Cloud Exposure
Tenable Cloud Security (CNAPP) Request a demo
Tenable Cloud Vulnerability Management Request a demo
Tenable CIEM Request a demo
Secure your cloud
## Vulnerability Exposure
Tenable Vulnerability Management Try for free
Tenable Security Center Request a demo
Tenable Web App Scanning Try for free
Tenable Patch Management Request a demo
Tenable Enclave Security Request a demo
Tenable Attack Surface Management Request a demo
Tenable Nessus Try for free
## AI Exposure
Tenable AI Exposure Request a demo
## OT/IoT Exposure
Tenable OT Security Request a demo
## Identity Exposure
Tenable Identity Exposure Request a demo
## Business needs
Active Directory
AI Security Posture Management (AI-SPM)
AWS security
Azure security
Cloud Security Posture Man
Tenable
CVE-2019-15846: Unauthenticated Remote Command Execution Flaw Disclosed for Exim
blogs_tenable·2019-09-06·CVSS 9.8
[CRITICAL] CVE-2019-15846: Unauthenticated Remote Command Execution Flaw Disclosed for Exim
## Cloud Exposure
Tenable Cloud Security (CNAPP) Request a demo
Tenable Cloud Vulnerability Management Request a demo
Tenable CIEM Request a demo
Secure your cloud
## Vulnerability Exposure
Tenable Vulnerability Management Try for free
Tenable Security Center Request a demo
Tenable Web App Scanning Try for free
Tenable Patch Management Request a demo
Tenable Enclave Security Request a demo
Tenable Attack Surface Management Request a demo
Tenable Nessus Try for free
## AI Exposure
Tenable AI Exposure Request a demo
## OT/IoT Exposure
Tenable OT Security Request a demo
## Identity Exposure
Tenable Identity Exposure Request a demo
## Business needs
Active Directory
AI Security Posture Management (AI-SPM)
AWS security
Azure security
Cloud Security Posture Man
Tenable
CVE-2019-0708: BlueKeep Exploits Could Be Around the Corner
blogs_tenable·2019-08-01·CVSS 9.8
[CRITICAL] CVE-2019-0708: BlueKeep Exploits Could Be Around the Corner
## Cloud Exposure
Tenable Cloud Security (CNAPP) Request a demo
Tenable Cloud Vulnerability Management Request a demo
Tenable CIEM Request a demo
Secure your cloud
## Vulnerability Exposure
Tenable Vulnerability Management Try for free
Tenable Security Center Request a demo
Tenable Web App Scanning Try for free
Tenable Patch Management Request a demo
Tenable Enclave Security Request a demo
Tenable Attack Surface Management Request a demo
Tenable Nessus Try for free
## AI Exposure
Tenable AI Exposure Request a demo
## OT/IoT Exposure
Tenable OT Security Request a demo
## Identity Exposure
Tenable Identity Exposure Request a demo
## Business needs
Active Directory
AI Security Posture Management (AI-SPM)
AWS security
Azure security
Cloud Security Posture Man
Tenable
WatchBog Malware Adds BlueKeep Scanner (CVE-2019-0708), New Exploits (CVE-2019-10149, CVE-2019-11581)
blogs_tenable·2019-07-25·CVSS 9.8
[CRITICAL] WatchBog Malware Adds BlueKeep Scanner (CVE-2019-0708), New Exploits (CVE-2019-10149, CVE-2019-11581)
## Cloud Exposure
Tenable Cloud Security (CNAPP) Request a demo
Tenable Cloud Vulnerability Management Request a demo
Tenable CIEM Request a demo
Secure your cloud
## Vulnerability Exposure
Tenable Vulnerability Management Try for free
Tenable Security Center Request a demo
Tenable Web App Scanning Try for free
Tenable Patch Management Request a demo
Tenable Enclave Security Request a demo
Tenable Attack Surface Management Request a demo
Tenable Nessus Try for free
## AI Exposure
Tenable AI Exposure Request a demo
## OT/IoT Exposure
Tenable OT Security Request a demo
## Identity Exposure
Tenable Identity Exposure Request a demo
## Business needs
Active Directory
AI Security Posture Management (AI-SPM)
AWS security
Azure security
Cloud Security Posture Man
Qualys
Exim MTA Vulnerability (The Return of the WIZard - CVE-2019-10149) | Qualys
blogs_qualys·2019-06-14·CVSS 9.8
CVE-2019-10149 [CRITICAL] Exim MTA Vulnerability (The Return of the WIZard - CVE-2019-10149) | Qualys
Last week, Qualys issued a security advisory for a vulnerability we discovered during a code review of Exim. This vulnerability can lead to Remote Command Injection, and is currently being actively attacked in the wild. This blog will show you how to quickly identify assets that are impacted by this vulnerability.
### The Vulnerability
This vulnerability exists in all versions of Exim’s MTA from version 4.87 to 4.91. Exploitation of the vulnerability only requires a malicious email to be sent to a vulnerable server, and injected commands will typically run as root. There are multiple ways that Exim can be configured, and some of these will allow for faster exploitation, while others may require a week to fully exploit. For technical details on this vulnerability please see our security a
Qualys
Exim MTA Vulnerability (The Return of the WIZard – CVE-2019-10149)
blogs_qualys·2019-06-14·CVSS 9.8
[CRITICAL] Exim MTA Vulnerability (The Return of the WIZard – CVE-2019-10149)
Last week, Qualys issued a security advisory for a vulnerability we discovered during a code review of Exim. This vulnerability can lead to Remote Command Injection, and is currently being actively attacked in the wild. This blog will show you how to quickly identify assets that are impacted by this vulnerability.
## The Vulnerability
This vulnerability exists in all versions of Exim’s MTA from version 4.87 to 4.91. Exploitation of the vulnerability only requires a malicious email to be sent to a vulnerable server, and injected commands will typically run as root. There are multiple ways that Exim can be configured, and some of these will allow for faster exploitation, while others may require a week to fully exploit. For technical details on this vulnerability please see our security ad
Tenable
CVE-2019-10149: Critical Remote Command Execution Vulnerability Discovered In Exim
blogs_tenable·2019-06-06·CVSS 9.8
[CRITICAL] CVE-2019-10149: Critical Remote Command Execution Vulnerability Discovered In Exim
## Cloud Exposure
Tenable Cloud Security (CNAPP) Request a demo
Tenable Cloud Vulnerability Management Request a demo
Tenable CIEM Request a demo
Secure your cloud
## Vulnerability Exposure
Tenable Vulnerability Management Try for free
Tenable Security Center Request a demo
Tenable Web App Scanning Try for free
Tenable Patch Management Request a demo
Tenable Enclave Security Request a demo
Tenable Attack Surface Management Request a demo
Tenable Nessus Try for free
## AI Exposure
Tenable AI Exposure Request a demo
## OT/IoT Exposure
Tenable OT Security Request a demo
## Identity Exposure
Tenable Identity Exposure Request a demo
## Business needs
Active Directory
AI Security Posture Management (AI-SPM)
AWS security
Azure security
Cloud Security Posture Man
Bugzilla
CVE-2019-10149 exim: Remote command execution in deliver_message() function in /src/deliver.c [epel-all]
bugzilla·2019-06-04·CVSS 9.8
CVE-2019-10149 [CRITICAL] CVE-2019-10149 exim: Remote command execution in deliver_message() function in /src/deliver.c [epel-all]
CVE-2019-10149 exim: Remote command execution in deliver_message() function in /src/deliver.c [epel-all]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of epel-all.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When submitting as an update, use the fedpkg template provided in the next
comment(s). This will include the bug IDs of this tracking bug as well as
the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and the
fedpkg commit message.
NOTE: this issue affects mu
Bugzilla
CVE-2019-10149 exim: Remote command execution in deliver_message() function in /src/deliver.c
bugzilla·2019-05-29·CVSS 9.8
CVE-2019-10149 [CRITICAL] CVE-2019-10149 exim: Remote command execution in deliver_message() function in /src/deliver.c
CVE-2019-10149 exim: Remote command execution in deliver_message() function in /src/deliver.c
A flaw was found in Exim versions 4.87 to 4.91 (inclusive). Improper validation of recipient address in deliver_message() function in /src/deliver.c may lead to remote command execution.
References:
https://www.openwall.com/lists/oss-security/2019/06/04/1
https://exim.org/static/doc/security/CVE-2019-10149.txt
Discussion:
Acknowledgments:
Name: Qualys Research Labs
---
As per the reporter:
"Exim is vulnerable by default since version 4.87 (released on April 6,2016), when #ifdef EXPERIMENTAL_EVENT became #ifndef DISABLE_EVENT; and
older versions may also be vulnerable if EXPERIMENTAL_EVENT was enabled manually. Surprisingly, this vulnerability was fixed in version 4.92
(released on Februar
http://lists.opensuse.org/opensuse-security-announce/2019-06/msg00020.htmlhttp://packetstormsecurity.com/files/153218/Exim-4.9.1-Remote-Command-Execution.htmlhttp://packetstormsecurity.com/files/153312/Exim-4.91-Local-Privilege-Escalation.htmlhttp://packetstormsecurity.com/files/154198/Exim-4.91-Local-Privilege-Escalation.htmlhttp://seclists.org/fulldisclosure/2019/Jun/16http://www.openwall.com/lists/oss-security/2019/06/05/2http://www.openwall.com/lists/oss-security/2019/06/05/3http://www.openwall.com/lists/oss-security/2019/06/05/4http://www.openwall.com/lists/oss-security/2019/06/06/1http://www.openwall.com/lists/oss-security/2019/07/25/6http://www.openwall.com/lists/oss-security/2019/07/25/7http://www.openwall.com/lists/oss-security/2019/07/26/4http://www.openwall.com/lists/oss-security/2021/05/04/7http://www.securityfocus.com/bid/108679https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-10149https://seclists.org/bugtraq/2019/Jun/5https://security.gentoo.org/glsa/201906-01https://usn.ubuntu.com/4010-1/https://www.debian.org/security/2019/dsa-4456https://www.exim.org/static/doc/security/CVE-2019-10149.txthttp://lists.opensuse.org/opensuse-security-announce/2019-06/msg00020.htmlhttp://packetstormsecurity.com/files/153218/Exim-4.9.1-Remote-Command-Execution.htmlhttp://packetstormsecurity.com/files/153312/Exim-4.91-Local-Privilege-Escalation.htmlhttp://packetstormsecurity.com/files/154198/Exim-4.91-Local-Privilege-Escalation.htmlhttp://seclists.org/fulldisclosure/2019/Jun/16http://www.openwall.com/lists/oss-security/2019/06/05/2http://www.openwall.com/lists/oss-security/2019/06/05/3http://www.openwall.com/lists/oss-security/2019/06/05/4http://www.openwall.com/lists/oss-security/2019/06/06/1http://www.openwall.com/lists/oss-security/2019/07/25/6http://www.openwall.com/lists/oss-security/2019/07/25/7http://www.openwall.com/lists/oss-security/2019/07/26/4http://www.openwall.com/lists/oss-security/2021/05/04/7http://www.securityfocus.com/bid/108679https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-10149https://seclists.org/bugtraq/2019/Jun/5https://security.gentoo.org/glsa/201906-01https://usn.ubuntu.com/4010-1/https://www.debian.org/security/2019/dsa-4456https://www.exim.org/static/doc/security/CVE-2019-10149.txthttps://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2019-10149
2019-06-05
Published
2022-01-10
Added to CISA KEV
Exploited in the wild