The vulnerabilities affect Exim version 4.99 when configured with SQLite hints database support, exposing thousands of mail servers to potential compromise.
The research team identified two distinct vulnerabilities in Exim’s SQLite database implementation.
The first is an incomplete SQL injection fix for CVE-2025-26794 that fails to escape single-quote characters in database queries properly.
Attackers can exploit this weakness by sending specially crafted SMTP commands with malicious email addresses containing SQL injection payloads.
The second vulnerability involves a heap buffer overflow caused by unvalidated database fields used as array boundaries.
When the bloom filter code processes untrusted data from the database, it can write far beyond allocated memory buffers, potentially corrupting up to 1.5 megabytes of heap memory.
| CVE ID | Vulnerability Type | CWE | Severity | Attack Vector | Impact |
|---|---|---|---|---|---|
| Related to CVE-2025-26794 | SQL Injection (Incomplete Fix) | CWE-89 | High | Remote (SMTP) | Arbitrary SQL query execution, data exfiltration |
| Pending Assignment | Heap Buffer Overflow | CWE-122, CWE-787, CWE-843 | Critical | Remote (SMTP) | Heap corruption, potential remote code execution |
This provides attackers with precise control over memory corruption, including the ability to target specific heap locations and write arbitrary byte values.
These vulnerabilities require specific configurations to be exploitable. Servers must be compiled with SQLite support and use rate-limited Access Control Lists (ACLs) that incorporate attacker-controlled data such as sender addresses.
The most vulnerable configurations include “per_addr” mode with explicit sender address keys or “unique” parameters containing attacker-controlled values.
While researchers successfully demonstrated heap corruption and memory manipulation. They were unable to develop a complete remote code-execution exploit because of modern security protections, such as Address Space Layout Randomization (ASLR).
However, experts warn that determined attackers with additional time and resources may be able to achieve full system compromise.
Exim maintainers have been notified and are working on security patches. The recommended fixes include adding proper single quote escaping to prevent SQL injection.
Implementing validation checks for database field sizes before using them as array boundaries.
Server administrators using Exim with SQLite hints databases should monitor for updates and apply patches immediately upon release.
Organizations running potentially vulnerable configurations should consider temporarily turning off SQLite hint database support.
Restricting ratelimit ACL configurations that use sender addresses until patches are available.
The research team has committed to coordinated disclosure, giving developers time to create fixes before publicly releasing full exploit details.
Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories.
The post Multiple Exim Server Vulnerabilities Let Attackers Seize Control of the Server appeared first on Cyber Security News.
While we're still waiting for confirmation of a release date for the second season of…
With Subnautica 2 finally getting its May 14 early access release date, it seems Steam's…
Star Wars: Galactic Racer is set to release for PS5, Xbox Series X|S, and PC…
As the wait goes on for Marvel to release the Avengers: Doomsday trailer recently shown…
Considering what it offers, Disney+ is one of the best streaming services on the block.…
AMHERST — Restoration of historic wood panels will be completed as part of the $46.1…
This website uses cookies.