Qualys researchers uncover 21 bugs in Exim mail servers

It's the kind of access the NSA has described as a "dream" for Russian hackers.
email implant, phishing, spearphishing
(Getty Images)

Researchers have found 21 unique vulnerabilities in Exim, a popular mail transfer agent, some of which would allow hackers to run full remote unauthenticated code execution against targets, the Qualys Research Team announced Tuesday.

If used properly, attackers could execute commands to install programs, manipulate data, create new accounts or change settings on the mail servers, according to the research. CVE-2020-28017, one of the vulnerabilities, dates as far back as 2004, according to the findings. Qualys and Exim recommend users apply the patches immediately.

The Exim Mail Transfer Agent (MTA) vulnerabilities, which Qualys is referring to collectively as 21Nails, affect all versions before Exim-4.94.1.

Ten of the flaws can be executed to gain root privileges, while 11 of them can be used to exploit victim systems locally. Hackers could link several of the vulnerabilities together in an attack to run full remote unauthenticated code execution against vulnerable mail servers, Qualys said.


Exim MTA software has not had smooth sailing over the last year. Hackers working for Russia’s military intelligence agency, a group also known as Sandworm, used Exim vulnerabilities last year in order to disable victims’ network security settings and execute commands and code remotely, according to the National Security Agency.

The NSA previously said using the mail transfer agent software vulnerability was “any attacker’s dream access.”

Almost exactly one year to date, Qualys shares the NSA’s concerns that Exim could provide hackers an attractive target to go after target lists.

“Exim Mail Servers are used so widely and handle such a large volume of the internet’s traffic that they are often a key target for hackers,” said Bharat Jogi, senior manager of vulnerability and threat research at Qualys. “It’s imperative that users apply patches immediately.”

The Qualys Research Team began exploring Exim for vulnerabilities in October of last year. Immediately after they found the flaws, Exim started developing patches, according to Qualys, which says it also worked on developing the fixes. Exim noted in an email to users that the updates took “more time than usual” to work on the reported issues due to “internal reasons,” but thanked Qualys for having reported the issues and the team’s work on patches.

Shannon Vavra

Written by Shannon Vavra

Shannon Vavra covers the NSA, Cyber Command, espionage, and cyber-operations for CyberScoop. She previously worked at Axios as a news reporter, covering breaking political news, foreign policy, and cybersecurity. She has appeared on live national television and radio to discuss her reporting, including on MSNBC, Fox News, Fox Business, CBS, Al Jazeera, NPR, WTOP, as well as on podcasts including Motherboard’s CYBER and The CyberWire’s Caveat. Shannon hails from Chicago and received her bachelor’s degree from Tufts University.

Latest Podcasts