Login Sign Up

CVE-2024-39929

5.4 MEDIUM

📋 TL;DR

This vulnerability in Exim mail servers allows attackers to bypass filename extension filtering by using specially crafted multiline RFC 2231 headers. Attackers can deliver executable attachments that would normally be blocked, potentially delivering malware to end users' mailboxes. Organizations running vulnerable Exim versions as mail transfer agents are affected.

💻 Affected Systems

Products:
  • Exim
Versions: Through 4.97.1
Operating Systems: Linux, Unix-like systems
Default Config Vulnerable: ⚠️ Yes
Notes: Only affects systems using $mime_filename extension blocking. Systems without this protection mechanism are not vulnerable to this specific bypass.

📦 What is this software?

Exim by Exim

View all CVEs affecting Exim →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers deliver executable malware attachments directly to user mailboxes, bypassing security filters, leading to malware execution and potential system compromise.

🟠

Likely Case

Attackers deliver executable attachments that bypass filename filtering, increasing phishing and malware delivery success rates.

🟢

If Mitigated

With proper attachment scanning and user education, the risk is reduced to nuisance spam or blocked by additional security layers.

🌐 Internet-Facing: HIGH
🏢 Internal Only: LOW

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: UNKNOWN
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

Exploitation requires sending specially crafted emails but does not require authentication to the mail server.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 4.98-RC3 and later

Vendor Advisory: https://bugs.exim.org/show_bug.cgi?id=3099

Restart Required: Yes

Instructions:

1. Download Exim 4.98-RC3 or later from exim.org. 2. Compile and install following Exim documentation. 3. Restart Exim service. 4. Verify version with 'exim -bV'.

🔧 Temporary Workarounds

Enhanced attachment filtering

all

Implement additional attachment scanning beyond filename extension checks

Disable problematic MIME handling

linux

Configure Exim to reject or sanitize RFC 2231 headers

Add to Exim configuration: 'untrusted_set_sender = *' and appropriate ACL rules

🧯 If You Can't Patch

  • Implement external email filtering/gateway with attachment scanning
  • Enable additional antivirus/antimalware scanning on mail server and endpoints

🔍 How to Verify

Check if Vulnerable:

Check Exim version with 'exim -bV | head -1'. If version is 4.97.1 or earlier, system is vulnerable.

Check Version:

exim -bV | head -1

Verify Fix Applied:

After patching, verify version is 4.98-RC3 or later with 'exim -bV | head -1'.

📡 Detection & Monitoring

Log Indicators:

  • Unusual multiline header patterns in email logs
  • Failed attachment blocking events followed by deliveries

Network Indicators:

  • Emails with multiline RFC 2231 headers containing executable extensions

SIEM Query:

source="exim" AND "RFC2231" AND ("exe" OR "bat" OR "sh" OR executable extension)

📊 Metadata

CVE ID: CVE-2024-39929
CVSS v3 Score: 5.4 (MEDIUM)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N
CWE: CWE-116
Published: July 4, 2024
Last Updated: July 10, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-39929, you might also want to check these:

CVE-2025-55729 10.0

CVE-2025-55729 is a critical remote code execution vulnerability in XWiki Remote Macros that allows ...

Same vulnerability type (CWE-116)
CVE-2022-23603 9.9

CVE-2022-23603 is a code injection vulnerability in iTunesRPC-Remastered, a Discord rich presence ap...

Same vulnerability type (CWE-116)
CVE-2024-38474 9.8

A substitution encoding vulnerability in Apache HTTP Server's mod_rewrite module allows attackers to...

Same vulnerability type (CWE-116)