CVE-2023-42115
published 2024-05-03CVE-2023-42115: Exim AUTH Out-Of-Bounds Write Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected…
PriorityP273critical9.8CVSS 3.0
AVNACLPRNUINSUCHIHAH
EPSS
10.04%
95.0th percentile
Exim AUTH Out-Of-Bounds Write Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Exim. Authentication is not required to exploit this vulnerability.
The specific flaw exists within the smtp service, which listens on TCP port 25 by default. The issue results from the lack of proper validation of user-supplied data, which can result in a write past the end of a buffer. An attacker can leverage this vulnerability to execute code in the context of the service account.
. Was ZDI-CAN-17434.
Affected
3 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | exim4 | < exim4 4.96-15+deb12u2 (bookworm) | exim4 4.96-15+deb12u2 (bookworm) |
| exim | exim | < 4.96.1 | 4.96.1 |
| exim | exim | — | — |
Detection & IOCsextracted from sources · hover to see the quote
snort
alert smtp any any -> $HOME_NET any (msg:"ET EXPLOIT Suspected Exim External Auth Overflow (CVE-2023-42115)"; flow:established; flowbits:isset,ET.eximsmtp; content:"auth|20|"; nocase; fast_pattern; pcre:"/^(?:(?:[^A\r\n]+[A])(?:[^A\r\n]+[A])){2,}/R"; reference:url,www.zerodayinitiative.com/advisories/ZDI-23-1469/; reference:url,labs.watchtowr.com/exim-0days-90s-vulns-in-90s-software/; reference:cve,2023-42115; classtype:attempted-admin; sid:2048390; rev:1; metadata:attack_target SMTP_Server, created_at 2023_10_03, cve CVE_2023_42115, deployment Perimeter, deployment SSLDecrypt, performance_impact Significant, confidence Low, signature_severity Major, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2023_10_03, reviewed_at 2023_10_03; target:dest_ip;)- →The Snort/Suricata rule triggers on SMTP traffic where the AUTH command is followed by a pattern of repeated non-newline sequences ending in 'A', occurring 2 or more times — indicative of the overflow payload. The flowbit ET.eximsmtp must be set (i.e., traffic already identified as Exim SMTP).
- →No authentication is required to exploit this vulnerability — monitor for anomalous AUTH command usage on TCP/25 from unauthenticated/external sources. ↗
- →The vulnerability is exploited via the SMTP AUTH mechanism; the out-of-bounds write results from improper validation of user-supplied data in the AUTH exchange. ↗
- ·The Snort/Suricata rule is rated confidence Low and has Significant performance impact — tune deployment accordingly, especially on high-volume SMTP gateways.
- ·On Ubuntu, CVE-2023-42115 only affects Ubuntu 20.04 LTS, Ubuntu 22.04 LTS, and Ubuntu 23.04 — not all Ubuntu releases are impacted. ↗
- ·Red Hat products do not ship the vulnerable Exim package — no Red Hat-based systems are affected. ↗
- ·Debian fixed versions are: bookworm 4.96-15+deb12u2, bullseye 4.94.2-7+deb11u1, forky/sid/trixie 4.97~RC1-2 — ensure patched versions are deployed. ↗
CVSS provenance
nvdv3.09.8CRITICALCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
osv9.8CRITICAL
vendor_debian9.8CRITICAL
vendor_redhat9.8CRITICAL
vendor_ubuntu5.3MEDIUM
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Ubuntu
Exim vulnerabilities
vendor_ubuntu·2023-10-04·CVSS 5.3
CVE-2023-42115 [MEDIUM] Exim vulnerabilities
Title: Exim vulnerabilities
Summary: Several security issues were fixed in Exim.
It was discovered that Exim incorrectly handled certain challenge requests.
A remote attacker could possibly use this issue to perform out-of-bounds
reads, resulting in information leakage. (CVE-2023-42114)
It was discovered that Exim incorrectly handled validation of user-supplied
data. A remote attacker could possibly use this issue to perform
out-of-bounds writes, resulting in arbitrary code execution. This issue
only affected Ubuntu 20.04 LTS, Ubuntu 22.04 LTS and Ubuntu 23.04.
(CVE-2023-42115)
It was discovered that Exim incorrectly handled certain challenge requests.
A remote attacker could possibly use this issue to perform out-of-bounds
writes, resulting in arbitrary code execution. (CVE-2023-42116
Red Hat
Exim: AUTH Out-Of-Bounds Write Remote Code Execution Vulnerability
vendor_redhat·2023-09-27·CVSS 9.8
CVE-2023-42115 [CRITICAL] CWE-787 Exim: AUTH Out-Of-Bounds Write Remote Code Execution Vulnerability
Exim: AUTH Out-Of-Bounds Write Remote Code Execution Vulnerability
Exim AUTH Out-Of-Bounds Write Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Exim. Authentication is not required to exploit this vulnerability.
The specific flaw exists within the smtp service, which listens on TCP port 25 by default. The issue results from the lack of proper validation of user-supplied data, which can result in a write past the end of a buffer. An attacker can leverage this vulnerability to execute code in the context of the service account.
. Was ZDI-CAN-17434.
An out-of-bounds write flaw exists in Exim within the smtp service, which listens on TCP port 25 by default. The issue results from the lack of proper valida
Debian
CVE-2023-42115: exim4 - Exim AUTH Out-Of-Bounds Write Remote Code Execution Vulnerability. This vulnerab...
vendor_debian·2023·CVSS 9.8
CVE-2023-42115 [CRITICAL] CVE-2023-42115: exim4 - Exim AUTH Out-Of-Bounds Write Remote Code Execution Vulnerability. This vulnerab...
Exim AUTH Out-Of-Bounds Write Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Exim. Authentication is not required to exploit this vulnerability. The specific flaw exists within the smtp service, which listens on TCP port 25 by default. The issue results from the lack of proper validation of user-supplied data, which can result in a write past the end of a buffer. An attacker can leverage this vulnerability to execute code in the context of the service account. . Was ZDI-CAN-17434.
Scope: local
bookworm: resolved (fixed in 4.96-15+deb12u2)
bullseye: resolved (fixed in 4.94.2-7+deb11u1)
forky: resolved (fixed in 4.97~RC1-2)
sid: resolved (fixed in 4.97~RC1-2)
trixie: resolved (fixed in 4.97~RC1-2)
OSV
CVE-2023-42115: Exim AUTH Out-Of-Bounds Write Remote Code Execution Vulnerability
osv·2024-05-03·CVSS 9.8
CVE-2023-42115 [CRITICAL] CVE-2023-42115: Exim AUTH Out-Of-Bounds Write Remote Code Execution Vulnerability
Exim AUTH Out-Of-Bounds Write Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Exim. Authentication is not required to exploit this vulnerability. The specific flaw exists within the smtp service, which listens on TCP port 25 by default. The issue results from the lack of proper validation of user-supplied data, which can result in a write past the end of a buffer. An attacker can leverage this vulnerability to execute code in the context of the service account. . Was ZDI-CAN-17434.
GHSA
GHSA-67rj-8f2h-26fc: Exim AUTH Out-Of-Bounds Write Remote Code Execution Vulnerability
ghsa_unreviewed·2024-05-03
CVE-2023-42115 [CRITICAL] CWE-787 GHSA-67rj-8f2h-26fc: Exim AUTH Out-Of-Bounds Write Remote Code Execution Vulnerability
Exim AUTH Out-Of-Bounds Write Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Exim. Authentication is not required to exploit this vulnerability.
The specific flaw exists within the smtp service, which listens on TCP port 25 by default. The issue results from the lack of proper validation of user-supplied data, which can result in a write past the end of a buffer. An attacker can leverage this vulnerability to execute code in the context of the service account. Was ZDI-CAN-17434.
OSV
exim4 vulnerabilities
osv·2023-10-04·CVSS 5.3
CVE-2023-42114 [MEDIUM] exim4 vulnerabilities
exim4 vulnerabilities
It was discovered that Exim incorrectly handled certain challenge requests.
A remote attacker could possibly use this issue to perform out-of-bounds
reads, resulting in information leakage. (CVE-2023-42114)
It was discovered that Exim incorrectly handled validation of user-supplied
data. A remote attacker could possibly use this issue to perform
out-of-bounds writes, resulting in arbitrary code execution. This issue
only affected Ubuntu 20.04 LTS, Ubuntu 22.04 LTS and Ubuntu 23.04.
(CVE-2023-42115)
It was discovered that Exim incorrectly handled certain challenge requests.
A remote attacker could possibly use this issue to perform out-of-bounds
writes, resulting in arbitrary code execution. (CVE-2023-42116)
Suricata
ET EXPLOIT Suspected Exim External Auth Overflow (CVE-2023-42115)
suricata·2023-10-03·CVSS 9.8
CVE-2023-42115 [CRITICAL] ET EXPLOIT Suspected Exim External Auth Overflow (CVE-2023-42115)
ET EXPLOIT Suspected Exim External Auth Overflow (CVE-2023-42115)
Rule: alert smtp any any -> $HOME_NET any (msg:"ET EXPLOIT Suspected Exim External Auth Overflow (CVE-2023-42115)"; flow:established; flowbits:isset,ET.eximsmtp; content:"auth|20|"; nocase; fast_pattern; pcre:"/^(?:(?:[^A\r\n]+[A])(?:[^A\r\n]+[A])){2,}/R"; reference:url,www.zerodayinitiative.com/advisories/ZDI-23-1469/; reference:url,labs.watchtowr.com/exim-0days-90s-vulns-in-90s-software/; reference:cve,2023-42115; classtype:attempted-admin; sid:2048390; rev:1; metadata:attack_target SMTP_Server, created_at 2023_10_03, cve CVE_2023_42115, deployment Perimeter, deployment SSLDecrypt, performance_impact Significant, confidence Low, signature_severity Major, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2023_10_03
No public exploits indexed.
Wiz
RCE meaning: Remote code execution attacks explained | Wiz
blogs_wiz·2026-02-18
RCE meaning: Remote code execution attacks explained | Wiz
## What is a remote code execution (RCE) attack?
A remote code execution (RCE) attack is a cyberattack where an attacker runs malicious code on a target system from a remote location. This means someone who has no physical access to your servers can still execute commands as if they were sitting at the keyboard.
RCE ranks among the most severe vulnerability classes because attackers often need no authentication or user interaction to exploit it. Once they gain code execution, they can steal sensitive data, install persistent backdoors, escalate privileges, or pivot to other systems on your network.
The consequences extend beyond the initial compromise. A single RCE vulnerability in an internet-facing application can give attackers a foothold to move laterally through your environment, e
Wiz
RCE meaning: Remote code execution attacks explained | Wiz
blogs_wiz·2026-02-18
RCE meaning: Remote code execution attacks explained | Wiz
## What is a remote code execution (RCE) attack?
A remote code execution (RCE) attack is a cyberattack where an attacker runs malicious code on a target system from a remote location. This means someone who has no physical access to your servers can still execute commands as if they were sitting at the keyboard.
RCE ranks among the most severe vulnerability classes because attackers often need no authentication or user interaction to exploit it. Once they gain code execution, they can steal sensitive data, install persistent backdoors, escalate privileges, or pivot to other systems on your network.
The consequences extend beyond the initial compromise. A single RCE vulnerability in an internet-facing application can give attackers a foothold to move laterally through your environment, e
Greynoiseio
GreyNoise Detects Active Exploitation of CVEs Mentioned in Black Basta’s Leaked Chat Logs
blogs_greynoiseio·2025-02-26·CVSS 9.8
[CRITICAL] GreyNoise Detects Active Exploitation of CVEs Mentioned in Black Basta’s Leaked Chat Logs
CVE Disclosure Early Warning Get an early warning when traffic spikes indicate a high likelihood of new disclosures
Compromised Asset Detection Find out immediately if an asset communicates with a malicious IP address
Vulnerability Prioritization Get real-time insight into active exploitation trends to better understand risk and severity
SOC Efficiency Filter out noisy, low priority and false-positive alerts from mass internet scanners
Incident Investigation Add context to incidents to speed the determinations of scope and timelines
Threat Hunting Quickly identify anomalous behavior and enrich your threat hunting campaigns
Why GreyNoise
CVE Disclosure Early Warning Get an early warning when traffic spikes indicate a high likelihood of new disclosures
Compromised Asset Detection Fin
Qualys
Defense Lessons From the Black Basta Ransomware Playbook
blogs_qualys·2025-02-25
Defense Lessons From the Black Basta Ransomware Playbook
## Table of Contents
Know Your Enemys Playbook
Attackers Move Fast
How Qualys Can Help
The cybersecurity world was rocked last week by a massive leak of Black Basta’s internal communications that emerged from the group’s chat logs. Triggered by internal conflicts and a retaliatory data dump following attacks on Russian banks, the exposed records offer a rare glimpse into Black Basta’s tactics, operations, and leadership.
We’ve analyzed these newly unveiled tactics, and in this blog, we equip security teams with clear, actionable insights. We aim to highlight the key lessons learned—like immediate patching, tighter access controls, and rapid incident response—and provide an urgent call to action. This practical guide aims to help organizations strengthen their defenses against evolving
Qualys
Defense Lessons From the Black Basta Ransomware Playbook | Qualys
blogs_qualys·2025-02-25
Defense Lessons From the Black Basta Ransomware Playbook | Qualys
#### Table of Contents
- Know Your Enemys Playbook
- Attackers Move Fast
- How Qualys Can Help
The cybersecurity world was rocked last week by a massive leak of Black Basta’s internal communications that emerged from the group’s chat logs. Triggered by internal conflicts and a retaliatory data dump following attacks on Russian banks, the exposed records offer a rare glimpse into Black Basta’s tactics, operations, and leadership.
We’ve analyzed these newly unveiled tactics, and in this blog, we equip security teams with clear, actionable insights. We aim to highlight the key lessons learned—like immediate patching, tighter access controls, and rapid incident response—and provide an urgent call to action. This practical guide aims to help organizations strengthen their defenses against ev
Wiz
Crying Out Cloud - November Newsletter | Wiz
blogs_wiz·2023-11-01·CVSS 9.8
CVE-2023-42115 [CRITICAL] Crying Out Cloud - November Newsletter | Wiz
The past month has brought a series of vulnerabilities and security incidents that have left users affected. Amidst the noise, we've taken it upon ourselves to curate the most significant developments for you.
Here are our top picks of cloud security highlights!
## 🐞 High Profile Vulnerabilities
## Critical and high severity 0day vulnerabilities in Exim
Multiple vulnerabilities were disclosed in Exim Mail Transfer Agent (MTA), including CVE-2023-42115, which is a critical vulnerability enabling unauthenticated attackers to remotely execute code on publicly exposed Exim servers with a specific non-default configuration. This issue results from improper input validation that leads to writing arbitrary code past the end of the buffer.
According to Wiz data, although Exim is very prevalen
Wiz
Exim 0day Vulnerabilities: Everything You Need to Know | Wiz Blog
blogs_wiz·2023-10-02·CVSS 9.8
CVE-2023-42115 [CRITICAL] Exim 0day Vulnerabilities: Everything You Need to Know | Wiz Blog
Multiple vulnerabilities were publicly disclosed by the Zero Day Initiative (ZDI) in Exim Mail Transfer Agent (MTA), including CVE-2023-42115, which is a critical vulnerability enabling unauthenticated attackers to remotely execute code on publicly exposed Exim servers with “External” authentication enabled. This issue results from improper input validation that leads to writing arbitrary code past the end of the buffer. The recommendation is to update Exim to patched versions, or if not possible, restrict remote access to Exim mail servers if you have “External” authentication enabled, or to switch to a different authentication method.
## What is CVE-2023-42115?
Exim is a very prevalent mail server, due in part to being the default MTA preinstalled on Debian and other Linux distribution
Wiz
Exim 0day Vulnerabilities: Everything You Need to Know | Wiz Blog
blogs_wiz·2023-10-02·CVSS 9.8
CVE-2023-42115 [CRITICAL] Exim 0day Vulnerabilities: Everything You Need to Know | Wiz Blog
Multiple vulnerabilities were publicly disclosed by the Zero Day Initiative (ZDI) in Exim Mail Transfer Agent (MTA), including CVE-2023-42115, which is a critical vulnerability enabling unauthenticated attackers to remotely execute code on publicly exposed Exim servers with “External” authentication enabled. This issue results from improper input validation that leads to writing arbitrary code past the end of the buffer. The recommendation is to update Exim to patched versions, or if not possible, restrict remote access to Exim mail servers if you have “External” authentication enabled, or to switch to a different authentication method.
# What is CVE-2023-42115?
Exim is a very prevalent mail server, due in part to being the default MTA preinstalled on Debian and other Linux distributions
Bleepingcomputer
Exim patches three of six zero-day bugs disclosed last week
blogs_bleepingcomputer·2023-10-02·CVSS 5.3
CVE-2023-42115 [MEDIUM] Exim patches three of six zero-day bugs disclosed last week
## Exim patches three of six zero-day bugs disclosed last week
## Sergiu Gatlan
Exim developers have released patches for three of the zero-days disclosed last week through Trend Micro's Zero Day Initiative (ZDI), one of them allowing unauthenticated attackers to gain remote code execution.
Discovered by an anonymous security researcher, the security flaw (CVE-2023-42115) is due to an Out-of-bounds Write weakness found in the SMTP service and can be exploited by remote unauthenticated attackers to execute code in the context of the service account.
"The specific flaw exists within the smtp service, which listens on TCP port 25 by default. The issue results from the lack of proper validation of user-supplied data, which can result in a write past the end of a buffer," ZDI's advisory exp
Bleepingcomputer
Millions of Exim mail servers exposed to zero-day RCE attacks
blogs_bleepingcomputer·2023-09-29·CVSS 9.8
CVE-2023-42115 [CRITICAL] Millions of Exim mail servers exposed to zero-day RCE attacks
## Millions of Exim mail servers exposed to zero-day RCE attacks
## Sergiu Gatlan
A critical zero-day vulnerability in all versions of Exim mail transfer agent (MTA) software can let unauthenticated attackers gain remote code execution (RCE) on Internet-exposed servers.
Found by an anonymous security researcher and disclosed through Trend Micro's Zero Day Initiative (ZDI), the security bug (CVE-2023-42115) is due to an Out-of-bounds Write weakness found in the SMTP service.
While this type of issue can lead to software crashes or corruption of data following successful exploitation, it can also be abused by attackers for code or command execution on vulnerable servers.
"The specific flaw exists within the smtp service, which listens on TCP port 25 by default," a ZDI security advisory
Greynoiseio
NoiseLetter June 2025
blogs_greynoiseio
NoiseLetter June 2025
CVE Disclosure Early Warning Get an early warning when traffic spikes indicate a high likelihood of new disclosures
Compromised Asset Detection Find out immediately if an asset communicates with a malicious IP address
Vulnerability Prioritization Get real-time insight into active exploitation trends to better understand risk and severity
SOC Efficiency Filter out noisy, low priority and false-positive alerts from mass internet scanners
Incident Investigation Add context to incidents to speed the determinations of scope and timelines
Threat Hunting Quickly identify anomalous behavior and enrich your threat hunting campaigns
Why GreyNoise
CVE Disclosure Early Warning Get an early warning when traffic spikes indicate a high likelihood of new disclosures
Compromised Asset Detection Fin
2024-05-03
Published