cbcvebase.
CVE-2019-13917
published 2019-07-25

CVE-2019-13917: Exim 4.85 through 4.92 (fixed in 4.92.1) allows remote code execution as root in some unusual configurations that use the ${sort } expansion for items that can…

PriorityP262critical9.8CVSS 3.0
AVNACLPRNUINSUCHIHAH
EPSS
8.62%
94.4th percentile
Exim 4.85 through 4.92 (fixed in 4.92.1) allows remote code execution as root in some unusual configurations that use the ${sort } expansion for items that can be controlled by an attacker (e.g., $local_part or $domain).

Affected

4 ranges
VendorProductVersion rangeFixed in
debiandebian_linux
debiandebian_linux
debianexim4< exim4 4.92-10 (bookworm)exim4 4.92-10 (bookworm)
eximexim4.85 – 4.92

Detection & IOCsextracted from sources · hover to see the quote

  • Vulnerable Exim versions are 4.85 through 4.92; flag any Exim process or banner reporting these versions as potentially exploitable under CVE-2019-13917.
  • Inspect Exim configuration files for use of the '${sort }' expansion string — its presence in combination with attacker-controllable variables ($local_part, $domain) is the direct trigger for this RCE vulnerability.
  • Note that the default Exim upstream configuration does NOT contain '${sort }'; only non-default/custom configurations are affected. Audit non-default configs specifically.
  • ·Exploitation requires a non-default Exim configuration that uses the '${sort }' expansion with attacker-controllable input (e.g., $local_part or $domain). Default Exim deployments are NOT affected.
  • ·Red Hat Enterprise Linux 5 ships Exim 4.63 and is not affected; only Exim 4.85–4.92 are vulnerable.
  • ·Mitigation (short of patching to 4.92.1+) is to remove any use of '${sort }' from the Exim configuration.

CVSS provenance

nvdv3.09.8CRITICALCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.010.0CRITICALAV:N/AC:L/Au:N/C:C/I:C/A:C
osv9.8CRITICAL
vendor_debian9.8CRITICAL
vendor_redhat9.8CRITICAL
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.