Exim Email Servers: Latest Target for Cybercriminals


The Exim servers run almost 57% of the internet’s Email servers. Lately, it has been found out that the Exim Email servers are under heavy attacks from the hacker groups that are trying to exploit a recent security flaw in the bid to take over the vulnerable servers. As of now, two of the hacker groups have been identified to carry out cyber attacks of which one is operating from a public internet server and the other uses a server that is located on the dark web.

Both of the groups are found to be using an exploit for CVE-2019-10149, which is a security flaw publicly disclosed on 5th of June. The vulnerability has been nicknamed as “Return of the Wizard” that allows the remotely located hackers to send malicious Emails to vulnerable Exim servers and run malicious code under the Exim process’ access level which on most servers is root. Due to the fact that very sheer number of the Exim servers are currently installed across the internet, it is anticipated that the estimated exploitation attempts is somewhere between 500,000 and 53.4 million.

As per the researcher, the cyber criminals follow the following steps for accomplishing the cyber attacks:

  • The hackers send an Email and in the SMTP dialog of that Email, the RCPT_TO field gets an Email address that bears a localpart that has been crafted by the hackers in order to exploit the Exim To be more on point, the attack utilizes a specially crafted envelope from (532.MailFrom) that looks like the following where it would download a Shell script and directly executes it.

  • The infected Exim server then executes that localpart in their own user context after receiving the Email.
  • As people are at present running the Exim as a root, it will next download a shell script that will open the SSH access to the MTA server through a public key to the root user.

The second wave of the attacks were a lot more advanced compared to the first one and were spotted by Amit Serper, the Cybereason head of Security Research confirming that the group had not only continued to operate but also had amplified its attacks in order to pop up on the honeypots of other security firms side by side. The only thing remaining for the Exim server owners is to update the version to 4.92 as soon as possible and as well as prevent any attacks from impacting their Email servers.

Disclaimer: Darkweblink.com does not promote or endorse claims that have been made by any parties in this article. The information provided here is for the general purpose only and unintended to promote or support purchasing and/or selling of any products and services or serve as a recommendation in the involvement of doing so. Neither Darkweblink.com nor any member is responsible directly or indirectly for any loss or damage caused or alleged to be caused by or in relation with the reliance on or usage of any content, goods or services mentioned in this article.


Please enter your comment!
Please enter your name here