Safety researchers on the Nationwide Institute of Requirements and Know-how (NIST) have uncovered vital safety flaws within the Exim mail server. That might enable distant attackers to take full management of weak programs.
The vulnerabilities have an effect on Exim model 4.99 when configured with SQLite hints database help, exposing 1000’s of mail servers to potential compromise.
Two Important Flaws Found
The analysis staff recognized two distinct vulnerabilities in Exim’s SQLite database implementation.
The primary is an incomplete SQL injection repair for CVE-2025-26794 that fails to flee single-quote characters in database queries correctly.
Attackers can exploit this weak spot by sending specifically crafted SMTP instructions with malicious e-mail addresses containing SQL injection payloads.
The second vulnerability entails a heap buffer overflow brought on by unvalidated database fields used as array boundaries.
When the bloom filter code processes untrusted knowledge from the database, it could actually write far past allotted reminiscence buffers, probably corrupting as much as 1.5 megabytes of heap reminiscence.
CVE IDVulnerability TypeCWESeverityAttack VectorImpactRelated to CVE-2025-26794SQL Injection (Incomplete Repair)CWE-89HighRemote (SMTP)Arbitrary SQL question execution, knowledge exfiltrationPending AssignmentHeap Buffer OverflowCWE-122, CWE-787, CWE-843CriticalRemote (SMTP)Heap corruption, potential distant code execution
This offers attackers with exact management over reminiscence corruption, together with the power to focus on particular heap places and write arbitrary byte values.
These vulnerabilities require particular configurations to be exploitable. Servers have to be compiled with SQLite help and use rate-limited Entry Management Lists (ACLs) that incorporate attacker-controlled knowledge similar to sender addresses.
Probably the most weak configurations embrace “per_addr” mode with specific sender tackle keys or “distinctive” parameters containing attacker-controlled values.
Whereas researchers efficiently demonstrated heap corruption and reminiscence manipulation. They have been unable to develop a whole distant code-execution exploit due to fashionable safety protections, similar to Deal with Area Structure Randomization (ASLR).
Nonetheless, consultants warn that decided attackers with further time and sources might be able to obtain full system compromise.
Exim maintainers have been notified and are engaged on safety patches. The advisable fixes embrace including correct single quote escaping to stop SQL injection.
Implementing validation checks for database area sizes earlier than utilizing them as array boundaries.
Server directors utilizing Exim with SQLite hints databases ought to monitor for updates and apply patches instantly upon launch.
Organizations working probably weak configurations ought to contemplate briefly turning off SQLite trace database help.
Proscribing ratelimit ACL configurations that use sender addresses till patches can be found.
The analysis staff has dedicated to coordinated disclosure, giving builders time to create fixes earlier than publicly releasing full exploit particulars.
Comply with us on Google Information, LinkedIn, and X for every day cybersecurity updates. Contact us to function your tales.
