Exim Mail Transfer Agent (MTA) Improper Input Validation

Technical Severity

CRITICAL

9 / 10

Minimal Risk Critical

Vector Specification

CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H

Exploitation Likelihood

93.93 %

Predictive Probability

Percentile Rank

99.9 th

Documented as more likely to be exploited than 99.9% of known CVEs.

Detection Date

Jan 10, 2022

Remediation Due

Jul 10, 2022

CISA Catalog Active

Threat Analysis

Improper validation of recipient address in deliver_message() function in /src/deliver.c may lead to remote command execution.

Apply updates per vendor instructions.

Vendor Identity

Exim

Affected Product

Mail Transfer Agent (MTA)

Ransomware Status

Campaign Use Unknown

Weakness Classification

CWE-78

National Vulnerability Database

https://nvd.nist.gov/vuln/detail/CVE-2019-10149