Login Sign Up

CVE-2019-15846

9.8 CRITICAL
Remote Code Execution

📋 TL;DR

CVE-2019-15846 is a critical remote code execution vulnerability in Exim mail servers where a trailing backslash in certain commands allows attackers to execute arbitrary code with root privileges. This affects Exim installations before version 4.92.2. Any organization running vulnerable Exim versions is at risk of complete system compromise.

💻 Affected Systems

Products:
  • Exim
Versions: All versions before 4.92.2
Operating Systems: Linux, Unix, BSD
Default Config Vulnerable: ⚠️ Yes
Notes: All Exim installations with default configurations are vulnerable if running affected versions.

📦 What is this software?

Debian Linux by Debian

View all CVEs affecting Debian Linux →

Debian Linux by Debian

View all CVEs affecting Debian Linux →

Debian Linux by Debian

View all CVEs affecting Debian Linux →

Exim by Exim

View all CVEs affecting Exim →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Remote unauthenticated attacker gains full root access to the mail server, enabling data theft, lateral movement, and persistent backdoor installation.

🟠

Likely Case

Attackers exploit the vulnerability to install cryptocurrency miners, ransomware, or botnet malware on vulnerable servers.

🟢

If Mitigated

With proper network segmentation and least privilege, impact is limited to the mail server itself, though data exfiltration remains possible.

🌐 Internet-Facing: HIGH - Exim mail servers are typically internet-facing, making them prime targets for exploitation.
🏢 Internal Only: MEDIUM - Internal Exim servers could be exploited via phishing or compromised internal accounts.

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: CONFIRMED
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

Multiple public exploits exist and have been used in real-world attacks. The vulnerability is easily exploitable with minimal technical skill.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 4.92.2

Vendor Advisory: http://exim.org/static/doc/security/CVE-2019-15846.txt

Restart Required: Yes

Instructions:

1. Backup Exim configuration files. 2. Download and compile Exim 4.92.2 or later from exim.org. 3. Stop Exim service. 4. Install new version. 5. Restart Exim service. 6. Verify version with 'exim -bV'.

🔧 Temporary Workarounds

Disable vulnerable commands

linux

Remove or restrict access to affected commands in Exim configuration

Edit exim.conf and comment out or remove 'acl_smtp_rcpt' and 'acl_smtp_mail' lines with vulnerable patterns

Network filtering

linux

Block SMTP commands containing trailing backslashes at network perimeter

iptables -A INPUT -p tcp --dport 25 -m string --string "\\" --algo bm -j DROP

🧯 If You Can't Patch

  • Implement strict network segmentation to isolate Exim server from critical systems
  • Deploy intrusion detection rules to alert on exploitation attempts and monitor for suspicious activity

🔍 How to Verify

Check if Vulnerable:

Run 'exim -bV' and check if version is below 4.92.2

Check Version:

exim -bV | head -1

Verify Fix Applied:

Run 'exim -bV' and confirm version is 4.92.2 or higher

📡 Detection & Monitoring

Log Indicators:

  • SMTP commands with trailing backslashes in Exim logs
  • Unusual process execution from Exim user
  • Failed authentication attempts followed by command execution

Network Indicators:

  • SMTP traffic containing backslash characters in command parameters
  • Unexpected outbound connections from mail server

SIEM Query:

source="exim.log" AND "\\" AND ("MAIL" OR "RCPT")

📊 Metadata

CVE ID: CVE-2019-15846
CVSS v3 Score: 9.8 (CRITICAL)
CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Published: September 6, 2019
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON