Cybersecurity Briefing — NSA warns of Exim CVE-2019-10149 exploitation

Executive briefing: The National Security Agency warned on 28 May 2020 that state-sponsored actors were exploiting CVE-2019-10149 in Exim mail transfer agents. Unpatched servers allow remote code execution via malicious RCPT commands, letting attackers create users, deploy malware, or pivot deeper into networks.

What changed

• NSA observed weaponization of the flaw to gain root-level access on Exim versions 4.87–4.91, which had shipped widely in Linux distributions.
• Patches released in Exim 4.92 and 4.92.2 fully address the vulnerability and must be applied even on internet-facing relays with limited functionality.
• Post-compromise activity included creating unauthorized accounts, modifying sshd configuration, and establishing cron jobs for persistence.

Why it matters

• Mail transfer agents are high-value perimeter assets; remote code execution on Exim can expose credentials, forward sensitive mail, or provide a beachhead into internal networks.
• Organizations relying on vendor appliances or managed services may not realize they ship Exim, making asset discovery essential.
• State-linked exploitation increases the likelihood of follow-on ransomware or espionage operations if systems remain unpatched.

Action items for operators

• Upgrade Exim to 4.92.2 or later immediately and verify package repositories or appliance firmware incorporate the fix.
• Audit mail gateways for new accounts, modified sshd settings, unauthorized sudoers entries, and cron tasks created after June 2019.
• Harden MTAs by limiting exposure to necessary interfaces, enforcing authentication where possible, and monitoring for suspicious RCPT or mail-from patterns.