Login Sign Up

CVE-2020-28020

9.8 CRITICAL
Remote Code Execution Buffer Overflow

📋 TL;DR

CVE-2020-28020 is an integer overflow vulnerability in Exim mail transfer agent that leads to buffer overflow, allowing unauthenticated remote attackers to execute arbitrary code by exploiting header continuation line handling. This affects Exim servers running versions before 4.92. The vulnerability is particularly dangerous because it can be exploited remotely without authentication.

💻 Affected Systems

Products:
  • Exim
Versions: All versions before 4.92
Operating Systems: Linux, Unix-like systems
Default Config Vulnerable: ⚠️ Yes
Notes: All Exim installations with default configurations are vulnerable if running affected versions.

📦 What is this software?

Exim by Exim

View all CVEs affecting Exim →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Remote code execution with root privileges leading to complete system compromise, data exfiltration, and persistent backdoor installation.

🟠

Likely Case

Remote code execution leading to mail server compromise, potential lateral movement within the network, and data theft.

🟢

If Mitigated

Exploit attempts detected and blocked by network controls, with minimal impact due to proper segmentation and monitoring.

🌐 Internet-Facing: HIGH
🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: CONFIRMED
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

Exploit code is publicly available and relatively easy to weaponize due to the low complexity of exploitation.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Exim 4.92 and later

Vendor Advisory: https://www.exim.org/static/doc/security/CVE-2020-qualys/CVE-2020-28020-HSIZE.txt

Restart Required: Yes

Instructions:

1. Download Exim 4.92 or later from exim.org. 2. Stop Exim service. 3. Backup current configuration. 4. Install new version. 5. Restart Exim service.

🔧 Temporary Workarounds

Disable Exim service

linux

Temporarily disable Exim to prevent exploitation while patching

systemctl stop exim
systemctl disable exim

Network segmentation

linux

Restrict access to Exim ports (25, 465, 587) using firewall rules

iptables -A INPUT -p tcp --dport 25 -j DROP
iptables -A INPUT -p tcp --dport 465 -j DROP
iptables -A INPUT -p tcp --dport 587 -j DROP

🧯 If You Can't Patch

  • Implement strict network segmentation to isolate Exim servers from critical systems
  • Deploy intrusion detection systems to monitor for exploit attempts and block malicious traffic

🔍 How to Verify

Check if Vulnerable:

Check Exim version with 'exim --version' or 'exim -bV' and verify it's below 4.92

Check Version:

exim --version

Verify Fix Applied:

Verify Exim version is 4.92 or higher using 'exim --version'

📡 Detection & Monitoring

Log Indicators:

  • Unusual header patterns in mail logs
  • Multiple continuation lines in single messages
  • Process crashes or abnormal Exim behavior

Network Indicators:

  • Unusual traffic patterns to Exim ports
  • Exploit-specific payloads in network traffic

SIEM Query:

source="exim.log" AND ("continuation" OR "header overflow" OR "buffer overflow")

📊 Metadata

CVE ID: CVE-2020-28020
CVSS v3 Score: 9.8 (CRITICAL)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CWE: CWE-190
Published: May 6, 2021
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2020-28020, you might also want to check these:

CVE-2025-64721 10.0

This vulnerability in Sandboxie allows sandboxed processes to exploit an integer overflow in the Sbi...

Same vulnerability type (CWE-190)
CVE-2025-52581 9.8

An integer overflow vulnerability in libbiosig's GDF file parsing allows arbitrary code execution wh...

Same vulnerability type (CWE-190)
CVE-2025-53518 9.8

An integer overflow vulnerability in libbiosig's ABF file parser allows arbitrary code execution whe...

Same vulnerability type (CWE-190)