CVE-2019-10149 – CVE-2019-10149 is a critical remote command exe... (How to Fix)

Q: What is the severity of CVE-2019-10149?

CVE-2019-10149 has a CVSS score of 9.8 (CRITICAL). CVE-2019-10149 is a critical remote command execution vulnerability in Exim mail transfer agent versions 4.87 through 4.91. Attackers can exploit improper recipient address validation to execute arbitrary commands as root on vulnerable Exim servers. Organizations running affected Exim versions on internet-facing mail servers are at immediate risk.

📋 TL;DR

CVE-2019-10149 is a critical remote command execution vulnerability in Exim mail transfer agent versions 4.87 through 4.91. Attackers can exploit improper recipient address validation to execute arbitrary commands as root on vulnerable Exim servers. Organizations running affected Exim versions on internet-facing mail servers are at immediate risk.

💻 Affected Systems

Products:

Exim

Versions: 4.87 to 4.91 (inclusive)

Operating Systems: Linux, Unix-like systems

Default Config Vulnerable: ⚠️ Yes

Notes: All default configurations of affected versions are vulnerable. The vulnerability exists in the deliver_message() function when processing recipient addresses.

📦 What is this software?

⚠️ Risk & Real-World Impact

🔴

Worst Case

Full system compromise with root-level remote code execution, allowing attackers to install malware, exfiltrate data, pivot to internal networks, or create persistent backdoors.

🟠

Likely Case

Remote attackers gain root access to mail servers, enabling email interception, credential theft, and use as attack platform for further network exploitation.

🟢

If Mitigated

Limited impact with proper network segmentation, minimal privileges, and intrusion detection systems in place to detect and block exploitation attempts.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: CONFIRMED

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Multiple public exploits available. Attack requires sending specially crafted email to vulnerable server. No authentication needed.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 4.92 or later

Vendor Advisory: https://www.exim.org/static/doc/security/CVE-2019-10149.txt

Restart Required: Yes

Instructions:

1. Backup current Exim configuration. 2. Download and install Exim 4.92 or later from exim.org. 3. Apply configuration changes if needed. 4. Restart Exim service. 5. Verify service is running with patched version.

🔧 Temporary Workarounds

Disable vulnerable delivery method

linux

Temporarily disable the vulnerable delivery mechanism by modifying Exim configuration

Edit exim.conf and set 'deliver_drop_privilege = true'
Add 'acl_smtp_rcpt = acl_check_rcpt' with proper validation

🧯 If You Can't Patch

Block inbound SMTP traffic at network perimeter to vulnerable servers
Implement strict firewall rules limiting SMTP access to trusted IPs only

🔍 How to Verify

Check if Vulnerable:

Check Exim version with 'exim --version' or 'exim -bV'. If version is between 4.87 and 4.91 inclusive, system is vulnerable.

Check Version:

exim --version | head -1

Verify Fix Applied:

Run 'exim --version' and confirm version is 4.92 or higher. Test with known exploit payloads to verify they are blocked.

📡 Detection & Monitoring

Log Indicators:

Unusual recipient addresses with shell metacharacters
Failed delivery attempts with suspicious patterns
Unexpected process execution from Exim

Network Indicators:

SMTP connections with malformed RCPT TO commands
Unusual outbound connections from mail server

SIEM Query:

source="exim.log" AND ("RCPT TO" CONTAINS "|*" OR "RCPT TO" CONTAINS "`*" OR "RCPT TO" CONTAINS "$(*")

📊 Metadata

CVE ID: CVE-2019-10149

CVSS v3 Score: 9.8 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-78

Published: June 5, 2019

Last Updated: November 6, 2025

🔗 References

http://lists.opensuse.org/opensuse-security-announce/2019-06/msg00020.html Mailing List,Third Party Advisory
http://packetstormsecurity.com/files/153218/Exim-4.9.1-Remote-Command-Execution.html Exploit,Third Party Advisory,VDB Entry
http://packetstormsecurity.com/files/153312/Exim-4.91-Local-Privilege-Escalation.html Exploit,Third Party Advisory,VDB Entry
http://packetstormsecurity.com/files/154198/Exim-4.91-Local-Privilege-Escalation.html Exploit,Third Party Advisory,VDB Entry
http://seclists.org/fulldisclosure/2019/Jun/16 Mailing List,Third Party Advisory
http://www.openwall.com/lists/oss-security/2019/06/05/2 Mailing List,Third Party Advisory
http://www.openwall.com/lists/oss-security/2019/06/05/3 Mailing List,Patch,Third Party Advisory
http://www.openwall.com/lists/oss-security/2019/06/05/4 Exploit,Mailing List
http://www.openwall.com/lists/oss-security/2019/06/06/1 Exploit,Mailing List,Third Party Advisory
http://www.openwall.com/lists/oss-security/2019/07/25/6 Mailing List,Third Party Advisory
http://www.openwall.com/lists/oss-security/2019/07/25/7 Mailing List,Third Party Advisory
http://www.openwall.com/lists/oss-security/2019/07/26/4 Mailing List,Third Party Advisory
http://www.openwall.com/lists/oss-security/2021/05/04/7 Mailing List,Third Party Advisory
http://www.securityfocus.com/bid/108679 Broken Link,Third Party Advisory,VDB Entry
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-10149 Issue Tracking,Third Party Advisory
https://seclists.org/bugtraq/2019/Jun/5 Mailing List,Third Party Advisory
https://security.gentoo.org/glsa/201906-01 Third Party Advisory
https://usn.ubuntu.com/4010-1/ Third Party Advisory
https://www.debian.org/security/2019/dsa-4456 Third Party Advisory
https://www.exim.org/static/doc/security/CVE-2019-10149.txt Vendor Advisory
http://lists.opensuse.org/opensuse-security-announce/2019-06/msg00020.html Mailing List,Third Party Advisory
http://packetstormsecurity.com/files/153218/Exim-4.9.1-Remote-Command-Execution.html Exploit,Third Party Advisory,VDB Entry
http://packetstormsecurity.com/files/153312/Exim-4.91-Local-Privilege-Escalation.html Exploit,Third Party Advisory,VDB Entry
http://packetstormsecurity.com/files/154198/Exim-4.91-Local-Privilege-Escalation.html Exploit,Third Party Advisory,VDB Entry
http://seclists.org/fulldisclosure/2019/Jun/16 Mailing List,Third Party Advisory
http://www.openwall.com/lists/oss-security/2019/06/05/2 Mailing List,Third Party Advisory
http://www.openwall.com/lists/oss-security/2019/06/05/3 Mailing List,Patch,Third Party Advisory
http://www.openwall.com/lists/oss-security/2019/06/05/4 Exploit,Mailing List
http://www.openwall.com/lists/oss-security/2019/06/06/1 Exploit,Mailing List,Third Party Advisory
http://www.openwall.com/lists/oss-security/2019/07/25/6 Mailing List,Third Party Advisory
http://www.openwall.com/lists/oss-security/2019/07/25/7 Mailing List,Third Party Advisory
http://www.openwall.com/lists/oss-security/2019/07/26/4 Mailing List,Third Party Advisory
http://www.openwall.com/lists/oss-security/2021/05/04/7 Mailing List,Third Party Advisory
http://www.securityfocus.com/bid/108679 Broken Link,Third Party Advisory,VDB Entry
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-10149 Issue Tracking,Third Party Advisory
https://seclists.org/bugtraq/2019/Jun/5 Mailing List,Third Party Advisory
https://security.gentoo.org/glsa/201906-01 Third Party Advisory
https://usn.ubuntu.com/4010-1/ Third Party Advisory
https://www.debian.org/security/2019/dsa-4456 Third Party Advisory
https://www.exim.org/static/doc/security/CVE-2019-10149.txt Vendor Advisory
https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2019-10149 US Government Resource

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2019-10149, you might also want to check these: