cbcvebase.
CVE-2025-26794
published 2025-02-21

CVE-2025-26794: Exim 4.98 before 4.98.1, when SQLite hints and ETRN serialization are used, allows remote SQL injection. (Resolving SQL injection requires an update to 4.99.1…

PriorityP272critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EPSS
75.78%
99.5th percentile
Exim 4.98 before 4.98.1, when SQLite hints and ETRN serialization are used, allows remote SQL injection. (Resolving SQL injection requires an update to 4.99.1 in certain non-default rate-limit configurations.)

Affected

2 ranges
VendorProductVersion rangeFixed in
debianexim4< exim4 4.98-4 (forky)exim4 4.98-4 (forky)
eximexim>= 4.98 < 4.98.14.98.1

Detection & IOCsextracted from sources · hover to see the quote

commandETRN 0x23
snort
alert tcp $EXTERNAL_NET any -> $HOME_NET 25 (msg:"ET EXPLOIT Exim SQLite (DBM) Injection (CVE-2025-26794)"; flow:established,to_server; content:"ETRN|20 23|"; startswith; pcre:"/^[^0a]*?[\x27\x22\x3b\x2d\x5c\x2a\x2f]/R"; reference:url,github.com/OscarBataille/CVE-2025-26794; reference:cve,2025-26794; classtype:attempted-user; sid:2060363; rev:1; metadata:affected_product Exim, attack_target Server, created_at 2025_02_25, cve CVE_2025_26794, deployment Perimeter, deployment Internal, confidence High, signature_severity Major, tag Exploit, updated_at 2025_02_25, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application; target:dest_ip;)
  • Exploitation requires ETRN to be enabled at runtime (acl_smtp_etrn returns accept) AND smtp_etrn_serialize set to true; monitor SMTP traffic for ETRN commands containing SQL metacharacters (', ", ;, --, \, *, /).
  • Network detection: look for SMTP sessions where the ETRN command (followed by a space and '#'/0x23) contains SQL injection characters such as single quote (0x27), double quote (0x22), semicolon (0x3b), double-dash (0x2d), backslash (0x5c), asterisk (0x2a), or forward-slash (0x2f).
  • Attackers can insert malicious SQL code via specially crafted email transactions (ETRN), potentially leading to unauthorized access, data extraction, or full system compromise.
  • Public proof-of-concept exploit code is available at github.com/OscarBataille/CVE-2025-26794; monitor for exploitation attempts originating from external networks targeting inbound SMTP (port 25).
  • ·The vulnerability only affects Exim 4.98 (before 4.98.1) built with SQLite hints support AND with ETRN enabled and serialized at runtime. Resolving SQL injection fully requires 4.99.1 in certain non-default rate-limit configurations.
  • ·ETRN is denied by default (acl_smtp_etrn defaults to deny), so only non-default configurations that explicitly accept ETRN are exposed.

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
osv9.8CRITICAL
vendor_debian7.5LOW
vendor_redhat7.5HIGH
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.