Exim mail servers left open to zero-day attacks for over a year

More than a million servers were exposed for more than a year

When you purchase through links on our site, we may earn an affiliate commission.Here’s how it works.

A major flaw in Exim’s mail transfer agent (MTA) software has been detected that has gone without a patch for more than a year.

Researchers from Trend Micro’s Zero Day Initiative were tipped off by an anonymous researcher in June last year, about an out-of-bounds write weakness discovered in the SMTP service, BleepingComputer reported.

Exim is an MTA that runs in the background ofemail servers, and hackers can use it to run malware on vulnerable endpoints.

Used by Russian hackers

That vulnerability is being tracked as CVE-2023-42115, and can be used to crash software and corrupt valuable data, but more importantly - it can be used to run malicious code on vulnerable servers.

Exim was reportedly first notified about the flaw in June 2022, and then again in May 2023, but apparently to no avail. Given Exim’s failure to address it, Trend Micro Zero Day Initiative has now published an advisory describing the flaw, and detailing its discussion with Exim over the months.

According toBleepingComputer, MTA servers like Exim are a popular target among hackers as they can be accessed remotely and used to move into the wider corporate network. It’s also apparently the “world’s most popular MTA software, installed on more than 56% of 602,000 internet-connected mail servers” (342,000). This is mostly because it comes bundled with many popular Linux distros including Debian and Red Hat.

Three years ago, Sandworm (a Russian state-sponsored threat actor) was using a flaw found in Exim to infiltrate endpoints, the NSA warned at the time.

Are you a pro? Subscribe to our newsletter

Sign up to the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed!

“The Russian actors, part of the General Staff Main Intelligence Directorate’s (GRU) Main Center for Special Technologies (GTsST), have used this exploit to add privileged users, disable network security settings, execute additional scripts for further network exploitation; pretty much any attacker’s dream access – as long as that network is using an unpatched version of Exim MTA,” the NSA said.

ViaBleepingComputer

More from TechRadar Pro

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.

Dangerous Android banking malware looks to trick victims with fake money transfers

Sophos Firewall hack on government network used an all-new custom malware

I’m canceling Prime Video for Apple TV Plus this month – here are 5 reasons why