cbcvebase.
CVE-2020-28026
published 2021-05-06

CVE-2020-28026: Exim 4 before 4.94.2 has Improper Neutralization of Line Delimiters, relevant in non-default configurations that enable Delivery Status Notification (DSN)…

PriorityP268critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EPSS
9.29%
94.7th percentile
Exim 4 before 4.94.2 has Improper Neutralization of Line Delimiters, relevant in non-default configurations that enable Delivery Status Notification (DSN). Certain uses of ORCPT= can place a newline into a spool header file, and indirectly allow unauthenticated remote attackers to execute arbitrary commands as root.

Affected

2 ranges
VendorProductVersion rangeFixed in
debianexim4< exim4 4.94.2-1 (bookworm)exim4 4.94.2-1 (bookworm)
eximexim>= 4.00 < 4.94.24.94.2

Detection & IOCsextracted from sources · hover to see the quote

  • Look for SMTP RCPT TO commands containing ORCPT= parameter with embedded newline characters (\n or \r\n), which may indicate exploitation of spool header file injection
  • Exploitation is only possible on Exim instances with Delivery Status Notification (DSN) enabled (non-default); filter SMTP traffic for DSN-related ORCPT= parameters containing line delimiter characters
  • ·Vulnerability only applies to Exim 4 versions before 4.94.2; instances running 4.94.2 or later are not affected
  • ·DSN (Delivery Status Notification) must be explicitly enabled in the Exim configuration for this vulnerability to be exploitable; it is not enabled by default

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.09.3CRITICALAV:N/AC:M/Au:N/C:C/I:C/A:C
osv9.8CRITICAL
vendor_debian9.8CRITICAL
vendor_ubuntu9.8CRITICAL
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.