⚠ Actively exploited
Added to CISA KEV on 2022-03-25. Federal agencies required to patch by 2022-04-15. Required action: Apply updates per vendor instructions..

CVE-2020-7247OS Command Injection in Opensmtpd

CWE-78OS Command InjectionCWE-755Improper Handling of Exceptional ConditionsCWE-252Unchecked Return Value29 documents17 sources
Severity
9.8CRITICALNVD
EPSS
94.1%
top 0.09%
CISA KEV
KEV
Added 2022-03-25
Due 2022-04-15
Exploit
Exploited in wild
Active exploitation observed
Affected products
5
OpensmtpdCanonical Ubuntu LinuxDebian Linux+2 more
Timeline
PublishedJan 29
KEV addedMar 25
KEV dueApr 15
Latest updateFeb 2
CISA Required Action: Apply updates per vendor instructions.

Description

smtp_mailaddr in smtp_session.c in OpenSMTPD 6.6, as used in OpenBSD 6.6 and other products, allows remote attackers to execute arbitrary commands as root via a crafted SMTP session, as demonstrated by shell metacharacters in a MAIL FROM field. This affects the "uncommented" default configuration. The issue exists because of an incorrect return value upon failure of input validation.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HExploitability: 3.9 | Impact: 5.9

Affected Packages3 packages

Debianopensmtpd/opensmtpd< 6.6.2p1-1+3
Ubuntuopensmtpd/opensmtpd< 5.4.1p1-1ubuntu0.1~esm1+1

Also affects: Debian Linux 10.0, 9.0, Fedora 32, Ubuntu Linux 18.04, 19.10

Patches

Patch: github.comPatch: www.openbsd.orgPatch: github.com

🔴Vulnerability Details

5
GHSA
GHSA-rcw6-69h3-89fh: smtp_mailaddr in smtp_session2022-05-24
OSV
opensmtpd vulnerabilities2021-03-15
OSV
CVE-2020-7247: smtp_mailaddr in smtp_session2020-01-29
CVEList
CVE-2020-7247: smtp_mailaddr in smtp_session2020-01-29
VulnCheck
OpenSMTPD Remote Code Execution Vulnerability2020

💥Exploits & PoCs

5
Exploit-DB
OpenSMTPD 6.4.0 < 6.6.1 - Local Privilege Escalation + Remote Code Execution2020-02-11
Exploit-DB
OpenSMTPD - MAIL FROM Remote Code Execution (Metasploit)2020-02-10
Exploit-DB
OpenSMTPD 6.6.1 - Remote Code Execution2020-01-30
Nuclei
OpenSMTPD 6.4.0-6.6.1 - Remote Code Execution
Metasploit
OpenSMTPD MAIL FROM Remote Code Execution

🔍Detection Rules

1
Suricata
ET EXPLOIT Possible OpenSMTPD RCE Inbound (CVE-2020-7247)2021-02-17

📋Vendor Advisories

4
CISA
OpenSMTPD Remote Code Execution Vulnerability2022-03-25
Ubuntu
OpenSMTPD vulnerabilities2021-03-15
Ubuntu
OpenSMTPD vulnerability2020-02-05
Debian
CVE-2020-7247: opensmtpd - smtp_mailaddr in smtp_session.c in OpenSMTPD 6.6, as used in OpenBSD 6.6 and oth...2020

🕵️Threat Intelligence

7
Qualys
Mutagen Astronomy: From Discovery to CISA Recognition—A Seven-Year Journey2026-02-02
Qualys
Mutagen Astronomy: A Linux Vulnerability’s Path to CISA KEV | Qualys2026-02-02
Unit42
Attackers Are Taking Advantage of the Open-Source Service Interactsh for Malicious Purposes2021-10-14
Unit42
Attackers Are Taking Advantage of the Open-Source Service Interactsh for Malicious Purposes2021-10-14
Trendmicro
CVE-2020-8794 Can Lead to Privilege Escalation and RCE2020-03-12

📄Research Papers

3
arXiv
Attack Effect Model based Malicious Behavior Detection2025-06-05
arXiv
VulZoo: A Comprehensive Vulnerability Intelligence Dataset2024-09-24
arXiv
Evaluation of Reinforcement Learning for Autonomous Penetration Testing using A3C, Q-learning and DQN2024-07-22

💬Community

3
Bugzilla
CVE-2020-7247 opensmtpd: arbitrary commands execution in smtp_mailaddr in smtp_session.c via crafted SMTP session [fedora-all]2020-02-03
Bugzilla
CVE-2020-7247 opensmtpd: arbitrary commands execution in smtp_mailaddr in smtp_session.c via crafted SMTP session2020-02-03
Bugzilla
CVE-2020-7247 opensmtpd: arbitrary commands execution in smtp_mailaddr in smtp_session.c via crafted SMTP session [epel-all]2020-02-03