Exim vulnerability – How to fix

A critical severity vulnerability present in multiple versions of the Exim mail software makes it possible for root access by attackers and executing commands on mail servers for some non-default server configurations.


The flaw impacts Exim versions 4.87 to 4.91 and it is caused by the improper validation of recipient addresses in the deliver_message() function in /src/deliver.c which leads to RCE with root privileges on the mail server.

This vulnerability is trivially exploitable in the local and non-default cases (attackers will have working exploits before that, public or not). Qualys researchers report that in the default case, a remote attack takes a long time to succeed (to the best of our knowledge).

The vulnerability, which is tracked as CVE-2019-10149, affects versions 4.87 through 4.91. The flaw was fixed in version 4.92, which was released in February. But it was never identified as a vulnerability. What’s more, many distributions of Linux have continued to ship with vulnerable Exim versions.

Millions of servers affected

Currently more than 4.7 million machines are running a vulnerable Exim version. It’s a good bet that a non-trivial percentage of these machines are susceptible to the attacks. Updates to version 4.92 are available here.

Let’s check how to patch the exim.

How to check Exim vulnerability? (CentOS, Debian, Ubuntu)

Checking Exim version, installed on a server (CentOS):

# rpm -qa |grep exim

Checking Exim version in Debian / Ubuntu:

# dpkg --list |grep exim

If it shows Exim version between versions 4.87 through 4.91, you show apply an update to fix.

[[email protected] ~]# rpm -qa |grep exim
exim-4.84.2-1.el7.x86_64

How to patch Exim vulnerability?

New Exim update (from the version 4.92 already patched) so we have just to update the server sofware:

In CentOS 6:

# yum --enablerepo=epel=testing update exim

In CentOS 7:

# yum update exim

In Debian or Ubuntu:

# apt-get update
# apt-get install exim4

Customers with our dedicated servers and Cloud VPS servers

Contact our support department immediately at supp24.com, we will assist all our users to fix an Exim installation.

Dedicated servers with new OS reinstall

Looking for a custom solution?

Our technicians can provide you with the best custom made solutions on the market, no matter whether you're a small business or large enterprise.

Get in touch