CVE-2025-26794
published 2025-02-21CVE-2025-26794: Exim 4.98 before 4.98.1, when SQLite hints and ETRN serialization are used, allows remote SQL injection. (Resolving SQL injection requires an update to 4.99.1…
PriorityP272critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EPSS
75.78%
99.5th percentile
Exim 4.98 before 4.98.1, when SQLite hints and ETRN serialization are used, allows remote SQL injection. (Resolving SQL injection requires an update to 4.99.1 in certain non-default rate-limit configurations.)
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | exim4 | < exim4 4.98-4 (forky) | exim4 4.98-4 (forky) |
| exim | exim | >= 4.98 < 4.98.1 | 4.98.1 |
Detection & IOCsextracted from sources · hover to see the quote
commandETRN 0x23
snort
alert tcp $EXTERNAL_NET any -> $HOME_NET 25 (msg:"ET EXPLOIT Exim SQLite (DBM) Injection (CVE-2025-26794)"; flow:established,to_server; content:"ETRN|20 23|"; startswith; pcre:"/^[^0a]*?[\x27\x22\x3b\x2d\x5c\x2a\x2f]/R"; reference:url,github.com/OscarBataille/CVE-2025-26794; reference:cve,2025-26794; classtype:attempted-user; sid:2060363; rev:1; metadata:affected_product Exim, attack_target Server, created_at 2025_02_25, cve CVE_2025_26794, deployment Perimeter, deployment Internal, confidence High, signature_severity Major, tag Exploit, updated_at 2025_02_25, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application; target:dest_ip;)
- →Exploitation requires ETRN to be enabled at runtime (acl_smtp_etrn returns accept) AND smtp_etrn_serialize set to true; monitor SMTP traffic for ETRN commands containing SQL metacharacters (', ", ;, --, \, *, /). ↗
- →Network detection: look for SMTP sessions where the ETRN command (followed by a space and '#'/0x23) contains SQL injection characters such as single quote (0x27), double quote (0x22), semicolon (0x3b), double-dash (0x2d), backslash (0x5c), asterisk (0x2a), or forward-slash (0x2f).
- →Attackers can insert malicious SQL code via specially crafted email transactions (ETRN), potentially leading to unauthorized access, data extraction, or full system compromise. ↗
- →Public proof-of-concept exploit code is available at github.com/OscarBataille/CVE-2025-26794; monitor for exploitation attempts originating from external networks targeting inbound SMTP (port 25).
- ·The vulnerability only affects Exim 4.98 (before 4.98.1) built with SQLite hints support AND with ETRN enabled and serialized at runtime. Resolving SQL injection fully requires 4.99.1 in certain non-default rate-limit configurations. ↗
- ·ETRN is denied by default (acl_smtp_etrn defaults to deny), so only non-default configurations that explicitly accept ETRN are exposed. ↗
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
osv9.8CRITICAL
vendor_debian7.5LOW
vendor_redhat7.5HIGH
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-v8m7-99rg-xp5c: Exim 4
ghsa_unreviewed·2025-02-21
CVE-2025-26794 [HIGH] CWE-89 GHSA-v8m7-99rg-xp5c: Exim 4
Exim 4.98 before 4.98.1, when SQLite hints and ETRN serialization are used, allows remote SQL injection.
OSV
CVE-2025-26794: Exim 4
osv·2025-02-21·CVSS 9.8
CVE-2025-26794 [CRITICAL] CVE-2025-26794: Exim 4
Exim 4.98 before 4.98.1, when SQLite hints and ETRN serialization are used, allows remote SQL injection. (Resolving SQL injection requires an update to 4.99.1 in certain non-default rate-limit configurations.)
OSV
CVE-2025-26794: Exim 4
osv·2025-02-21·CVSS 9.8
CVE-2025-26794 [CRITICAL] CVE-2025-26794: Exim 4
Exim 4.98 before 4.98.1, when SQLite hints and ETRN serialization are used, allows remote SQL injection.
Red Hat
exim: Exim: remote SQL injection
vendor_redhat·2025-02-21·CVSS 7.5
CVE-2025-26794 [HIGH] CWE-89 exim: Exim: remote SQL injection
exim: Exim: remote SQL injection
Exim 4.98 before 4.98.1, when SQLite hints and ETRN serialization are used, allows remote SQL injection. (Resolving SQL injection requires an update to 4.99.1 in certain non-default rate-limit configurations.)
A flaw was found in Exim package. In affected versions of exim package when SQLite hints and ETRN serialization are used, it allows remote SQL injection.
Statement: The following conditions have to be met for being vulnerable:
- Exim Version 4.98
- Build time option _USE_SQLITE_ is set (it enables the use of SQLite
for the hints databases) -- check the output of `exim -bV`, whether it
contains
```
Hints DB:
Using sqlite3
```
- Runtime config enables ETRN (`acl_smtp_etrn` returns _accept_
(defaults to _deny_))
- Runtime config enforces ETRN serializ
Debian
CVE-2025-26794: exim4 - Exim 4.98 before 4.98.1, when SQLite hints and ETRN serialization are used, allo...
vendor_debian·2025·CVSS 7.5
CVE-2025-26794 [HIGH] CVE-2025-26794: exim4 - Exim 4.98 before 4.98.1, when SQLite hints and ETRN serialization are used, allo...
Exim 4.98 before 4.98.1, when SQLite hints and ETRN serialization are used, allows remote SQL injection. (Resolving SQL injection requires an update to 4.99.1 in certain non-default rate-limit configurations.)
Scope: local
bookworm: resolved
bullseye: resolved
forky: resolved (fixed in 4.98-4)
sid: resolved (fixed in 4.98-4)
trixie: resolved (fixed in 4.98-4)
Suricata
ET EXPLOIT Exim SQLite (DBM) Injection (CVE-2025-26794)
suricata·2025-02-25·CVSS 7.5
CVE-2025-26794 [HIGH] ET EXPLOIT Exim SQLite (DBM) Injection (CVE-2025-26794)
ET EXPLOIT Exim SQLite (DBM) Injection (CVE-2025-26794)
Rule: alert tcp $EXTERNAL_NET any -> $HOME_NET 25 (msg:"ET EXPLOIT Exim SQLite (DBM) Injection (CVE-2025-26794)"; flow:established,to_server; content:"ETRN|20 23|"; startswith; pcre:"/^[^0a]*?[\x27\x22\x3b\x2d\x5c\x2a\x2f]/R"; reference:url,github.com/OscarBataille/CVE-2025-26794; reference:cve,2025-26794; classtype:attempted-user; sid:2060363; rev:1; metadata:affected_product Exim, attack_target Server, created_at 2025_02_25, cve CVE_2025_26794, deployment Perimeter, deployment Internal, confidence High, signature_severity Major, tag Exploit, updated_at 2025_02_25, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application; target:dest_ip;)
No public exploits indexed.
Checkpoint
3rd March – Threat Intelligence Report
blogs_checkpoint·2025-03-03
CVE-2025-27364 3rd March – Threat Intelligence Report
Latest Publications
CPR Podcast Channel
AI Research
Web 3.0 Security
Intelligence Reports
ThreatCloud AI
Threat Intelligence & Research
Zero Day Protection
Sandblast File Analysis
About Us
SUBSCRIBE
2026
2025
2024
2023
2022
2021
2020
2019
2018
2017
2016
## 3rd March – Threat Intelligence Report
For the latest discoveries in cyber research for the week of 3rd March, please download our Threat Intelligence Bulletin .
TOP ATTACKS AND BREACHES
Orange Group has confirmed a cyberattack on its Romanian branch, in which a hacker linked to the HellCat ransomware group stole 6.5GB of data over a month. The breach exposed 380,000 email addresses, internal documents, source code, invoices, contracts, and partial payment card details. While some data appears outdated, Orange
Wiz
CVE-2025-67896 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 5.4
CVE-2025-67896 [MEDIUM] CVE-2025-67896 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-67896 :
Exim vulnerability analysis and mitigation
Exim before 4.99.1, with certain non-default rate-limit configurations, allows a remote heap-based buffer overflow because database records are cast directly to internal structures without validation.
Source : NVD
## 9.8
Score
Published December 14, 2025
Severity CRITICAL
CNA Score 7.0
Affected Technologies
Exim
Linux Fedora
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 24.9
Exploitation Probability (EPSS) 0.1
Affected packages and libraries
exim-pgsql-debuginfo
cpe:2.3:a:exim:exim
Sources
Alpine 3.10, 3.11, 3.12, 3.13, 3.14, 3.15, 3.16, 3.17, 3.18, 3.19, 3.20, 3.21 Severity CRITICAL No Fix Added at: Dec 24, 2025
https://bugzilla.suse.com/show_bug.cgi?id=1237424https://code.exim.org/exim/exim/commit/bfe32b5c6ea033736a26da8421513206db9fe305https://exim.orghttps://exim.org/static/doc/security/EXIM-Security-2025-12-09.1/report.txthttps://github.com/Exim/exim/wiki/EximSecurityhttps://github.com/NixOS/nixpkgs/pull/383926https://github.com/openbsd/ports/commit/584d2c49addce9ca0ae67882cc16969104d7f82dhttps://www.exim.org/static/doc/security/CVE-2025-26794.txthttp://www.openwall.com/lists/oss-security/2025/02/19/1http://www.openwall.com/lists/oss-security/2025/02/21/4http://www.openwall.com/lists/oss-security/2025/02/21/5
2025-02-21
Published