Login Sign Up

CVE-2023-42117

9.8 CRITICAL
Remote Code Execution

📋 TL;DR

This is a critical remote code execution vulnerability in Exim mail servers that allows unauthenticated attackers to execute arbitrary code by sending specially crafted data to the SMTP service. The vulnerability affects Exim installations with the default configuration listening on port 25, potentially compromising entire mail servers and the systems they run on.

💻 Affected Systems

Products:
  • Exim
Versions: Specific versions not detailed in provided references, but based on ZDI-23-1471 advisory timeframe
Operating Systems: Linux/Unix systems running Exim
Default Config Vulnerable: ⚠️ Yes
Notes: Affects default SMTP configuration listening on port 25. Systems with Exim exposed to untrusted networks are at highest risk.

📦 What is this software?

Exim by Exim

View all CVEs affecting Exim →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete system compromise allowing attackers to install malware, exfiltrate data, pivot to other systems, and establish persistent access to the network.

🟠

Likely Case

Mail server compromise leading to data theft, email interception, spam/malware distribution, and potential lateral movement within the network.

🟢

If Mitigated

Limited impact if proper network segmentation, egress filtering, and intrusion detection systems are in place to contain the attack.

🌐 Internet-Facing: HIGH
🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: LIKELY
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

No authentication required, remote exploitation possible. ZDI advisory suggests weaponization is likely given the critical nature and ease of exploitation.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Check vendor-specific updates (Debian, Ubuntu, Red Hat, etc.) for patched Exim versions

Vendor Advisory: https://lists.debian.org/debian-lts-announce/2024/10/msg00029.html

Restart Required: Yes

Instructions:

1. Check your distribution's security advisories. 2. Update Exim package using your package manager (apt-get update && apt-get upgrade exim4 for Debian/Ubuntu). 3. Restart Exim service (systemctl restart exim4).

🔧 Temporary Workarounds

Network Access Control

linux

Restrict SMTP access to trusted IP addresses only

iptables -A INPUT -p tcp --dport 25 -s TRUSTED_IP -j ACCEPT
iptables -A INPUT -p tcp --dport 25 -j DROP

Disable Vulnerable Service

linux

Temporarily disable Exim if not critically needed

systemctl stop exim4
systemctl disable exim4

🧯 If You Can't Patch

  • Implement strict network segmentation to isolate Exim servers from critical systems
  • Deploy intrusion detection/prevention systems to monitor for exploitation attempts

🔍 How to Verify

Check if Vulnerable:

Check Exim version and compare against patched versions from your distribution's security advisory

Check Version:

exim --version | head -1

Verify Fix Applied:

Verify Exim version after update and ensure service is running with patched version

📡 Detection & Monitoring

Log Indicators:

  • Unusual SMTP connections
  • Memory corruption errors in Exim logs
  • Failed authentication attempts followed by successful connections

Network Indicators:

  • Unusual traffic patterns to port 25
  • Malformed SMTP packets
  • Connection attempts from suspicious IP ranges

SIEM Query:

source="exim.log" AND ("memory corruption" OR "segmentation fault" OR "buffer overflow")

📊 Metadata

CVE ID: CVE-2023-42117
CVSS v3 Score: 9.8 (CRITICAL)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CWE: CWE-138
Published: May 3, 2024
Last Updated: November 3, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2023-42117, you might also want to check these:

CVE-2022-0024 7.2

This vulnerability in Palo Alto Networks PAN-OS software allows authenticated administrators to uplo...

Same vulnerability type (CWE-138)