CVE-2025-26794
📋 TL;DR
Exim mail servers running versions 4.98 before 4.98.1 with SQLite hints and ETRN serialization enabled are vulnerable to remote SQL injection attacks. This allows attackers to potentially execute arbitrary SQL commands on the database backend. Only non-default configurations using these specific features are affected.
💻 Affected Systems
- Exim
📦 What is this software?
Exim by Exim
⚠️ Risk & Real-World Impact
Worst Case
Remote attacker executes arbitrary SQL commands, potentially leading to database compromise, data exfiltration, or privilege escalation to execute system commands via SQL functions.
Likely Case
Attacker manipulates SQL queries to extract sensitive data from Exim's SQLite database, potentially exposing mail routing information, user credentials, or configuration details.
If Mitigated
With proper network segmentation and access controls, impact is limited to the Exim service and its associated database, preventing lateral movement.
🎯 Exploit Status
Exploitation requires specific non-default configuration and understanding of Exim's SQLite integration. No public exploit code identified at this time.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 4.98.1 or 4.99.1 (depending on rate-limit configuration)
Vendor Advisory: https://exim.org/static/doc/security/EXIM-Security-2025-12-09.1/report.txt
Restart Required: No
Instructions:
1. Download latest Exim release from exim.org. 2. Backup current configuration. 3. Compile and install new version. 4. Verify configuration compatibility. 5. For rate-limit configurations, ensure update to 4.99.1.
🔧 Temporary Workarounds
Disable vulnerable features
allTemporarily disable SQLite hints and ETRN serialization if not required
Edit Exim configuration to remove or comment out SQLite hint and ETRN serialization directives
🧯 If You Can't Patch
- Implement strict network access controls to limit Exim service exposure
- Monitor SQLite database access patterns and query logs for anomalies
🔍 How to Verify
Check if Vulnerable:
Check Exim version with 'exim --version' and verify if SQLite hints and ETRN serialization are enabled in configurationCheck Version:
exim --version | head -1Verify Fix Applied:
Confirm version is 4.98.1 or higher with 'exim --version' and test SQL injection attempts are properly sanitized📡 Detection & Monitoring
Log Indicators:
- Unusual SQL queries in Exim logs
- ETRN commands with SQL-like syntax
- Database error messages in mail logs
Network Indicators:
- ETRN commands containing SQL metacharacters
- Unusual database connection patterns from Exim process
SIEM Query:
source="exim.log" AND ("SQL" OR "database error" OR "ETRN")🔗 References
- https://bugzilla.suse.com/show_bug.cgi?id=1237424
- https://code.exim.org/exim/exim/commit/bfe32b5c6ea033736a26da8421513206db9fe305
- https://exim.org
- https://exim.org/static/doc/security/EXIM-Security-2025-12-09.1/report.txt
- https://github.com/Exim/exim/wiki/EximSecurity
- https://github.com/NixOS/nixpkgs/pull/383926
- https://github.com/openbsd/ports/commit/584d2c49addce9ca0ae67882cc16969104d7f82d
- https://www.exim.org/static/doc/security/CVE-2025-26794.txt
- http://www.openwall.com/lists/oss-security/2025/02/19/1
- http://www.openwall.com/lists/oss-security/2025/02/21/4
- http://www.openwall.com/lists/oss-security/2025/02/21/5
