Critical Vulnerability in Exim Affects Exim Mail Transfer Agent
Security updates released for Exim Mail Transfer Agent (MTA) and addressed multiple possible remote-triggered critical vulnerabilities allowing RCE.
The flaw affected outdated Exim deployments. It is a user-after-free (UAF) flaw triggered during the TLS shutdown while handling BDAT chunked SMTP traffic.
Exim is a widely used open-source mail transfer agent deployed across enterprise, ISP, academic, and government infrastructures for internet-connected Unix systems. CVE-2026-45185 was discovered and reported by XBOW researcher Federico Kirschbaum. It impacts Exim versions 4.97 through 4.99.2 on builds compiled with GnuTLS that have STARTTLS and CHUNKING advertised. OpenSSL-based builds are not affected.
The Exim Project has confirmed
- All versions prior to 4.99.3 are obsolete.
- Legacy 3.x versions are more than 20 years outdated and should no longer be used.
- Version 4.99.3 is the latest security release addressing remotely triggerable issues.
The vulnerability impacts some Exim versions before 4.99.3 that use the default GNU Transport Layer Security (GnuTLS) library for secure communication. It is a user-after-free (UAF) flaw triggered during the TLS shutdown while handling BDAT chunked SMTP traffic.
There is a great deal of flexibility in the way mail can be routed, and there are extensive facilities for checking incoming mail. Exim can be installed in place of sendmail, although the configuration of Exim is quite different.
Vulnerability Exploitation
Attackers exploiting the vulnerability could execute commands on the server as well as access Exim data and emails, and potentially pivot further into the environment depending on server permissions and configuration.
Findings from EXBOW research:
XBOW Native successfully produced a working exploit for a simplified target Exim server that had no Address Space Layout Randomization (ASLR) and non-PIE (Position Independent Executables) binary.
In a second attempt, the LLM achieved an exploit on a machine with ASLR, but still a non-PIE binary.
“[…] instead of continuing to attack glibc’s allocator with off-the-shelf mechanisms, XBOW Native had taken on Exim’s own allocator,” XBOW researchers say.
Despite the surprising result below, it was the human researcher who won the race, with assistance from the LLM for tasks such as assembling files and testing exploitation avenues.
Threat actors commonly target internet-facing mail transfer agents due to their direct exposure to external networks and critical role in enterprise communication infrastructure.
Threat Context
| Security Area | Details |
|---|---|
| Product | Exim Mail Transfer Agent (MTA) |
| Current Secure Version | 4.99.3 |
| Affected Versions | All versions prior to 4.99.3 |
| Legacy Risk | Exim 3.x releases are obsolete |
| Attack Surface | Internet-facing SMTP services |
| Potential Impact | Remote exploitation, mail service compromise, unauthorized access |
Indicators of Concern (IoCs / Risk Indicators)
| Type | Indicator | Description |
|---|---|---|
| Network Activity | Unusual SMTP connections | Suspicious external mail interactions |
| Service Behaviour | Unexpected Exim crashes/restarts | Possible exploitation attempts |
| Log Activity | Unauthorized mail relay events | Potential abuse of mail routing |
| Authentication | Unknown SMTP authentication attempts | Credential abuse indicators |
| System Activity | Unexpected child process execution | Possible remote code execution attempts |
Mitigations
- Upgrade all Exim installations to version 4.99.3 immediately.
- Identify and decommission obsolete Exim 3.x deployments.
- Restrict unnecessary external exposure of SMTP services.
- Audit mail server configurations and relay permissions.
For users of Ubuntu and Debian-based Linux distributions should apply the available Exim updates (v4.99.3) through their package managers.
Sources: Exim Remote Code Execution Vulnerability
Sources: New critical Exim mailer flaw allows remote code execution