NSA warns of Exim CVE-2019-10149 exploitation

Overview

The National Security Agency (NSA) issued an advisory on 28 May 2020 warning that state-sponsored actors were actively exploiting CVE-2019-10149 in Exim mail transfer agents. The critical vulnerability allows remote code execution via specially crafted RCPT commands, enabling attackers to gain root-level access on affected mail servers. Organizations running unpatched Exim versions face immediate risk of compromise and must focus on remediation.

Technical details

CVE-2019-10149 is a critical remote code execution vulnerability in Exim mail server software:

• Affected versions: Exim versions 4.87 through 4.91 are vulnerable to remote exploitation without authentication.
• Vulnerability mechanism: The flaw exists in the deliver_message() function and can be exploited by sending a specially crafted RCPT TO command to the mail server.
• Exploitation complexity: Local exploitation is straightforward, while remote exploitation requires specific configurations but remains practical for targeted attacks.
• CVSS score: The vulnerability received a CVSS 3.x score of 9.8 (Critical), reflecting the severity of potential impact.
• Root access: Successful exploitation typically provides root-level access to the underlying system, enabling complete compromise.

Threat Actor Activity

The NSA advisory documented active exploitation by sophisticated threat actors:

• State-sponsored activity: Russian-linked threat actors were identified as actively exploiting the vulnerability against targets of intelligence interest.
• Campaign scope: Exploitation was observed against government, defense, and private sector targets with vulnerable Exim deployments.
• Weaponization timeline: The vulnerability was publicly disclosed in June 2019, with active exploitation detected in the wild shortly after.
• Sustained campaigns: Despite patch availability, continued exploitation reflects persistent scanning for unpatched systems.

Post-Compromise Activity

NSA observed several post-exploitation techniques following successful Exim compromise:

• Unauthorized account creation: Attackers created new system accounts with administrative privileges to maintain persistent access.
• SSH configuration modification: Modifications to sshd configuration enabled alternative authentication methods and key-based access.
• Persistence mechanisms: Cron jobs and scheduled tasks established callback mechanisms for continued access even after initial entry points were closed.
• Credential harvesting: Compromised mail servers provided access to email contents, stored credentials, and network positioning for lateral movement.
• Malware deployment: Some compromised systems received additional malware payloads supporting espionage or further network penetration.

Security Impact Assessment

Exim compromise creates significant security implications:

• Email exposure: Mail servers process sensitive communications, and compromise exposes message contents, attachments, and metadata to attackers.
• Network positioning: Mail servers often have broad network access for message delivery, providing attackers with positioning for internal reconnaissance and lateral movement.
• Credential access: Stored credentials, authentication tokens, and LDAP integration may expose directory services and other internal resources.
• Reputation damage: Compromised mail servers can be used for spam, phishing, or malware distribution, damaging organizational reputation and potentially resulting in blocklisting.
• Supply chain risk: Organizations may unknowingly use Exim through vendor appliances, cloud services, or managed hosting without realizing the exposure.

Affected Environment Identification

If you are affected, identify potentially vulnerable Exim deployments:

• Direct installations: Servers running Exim as the primary mail transfer agent, common in Linux environments.
• Linux distributions: Debian, Ubuntu, and other distributions ship Exim as a default or optional MTA, potentially installing it without administrator awareness.
• Appliance products: Commercial email appliances and security gateways may use Exim internally for message handling.
• Cloud instances: Cloud-hosted servers may include Exim in base images or through package dependencies.
• Container deployments: Docker images and container deployments may bundle vulnerable Exim versions.

Remediation Actions

If you are affected, take immediate steps to address CVE-2019-10149:

• Immediate patching: Upgrade Exim to version 4.92.2 or later, which fully addresses the vulnerability. Version 4.92 contains a partial fix.
• Distribution updates: For distribution-packaged Exim, apply vendor-provided security updates through standard package management.
• Appliance updates: Contact vendors of email appliances or managed services to confirm their Exim patch status.
• Temporary mitigation: If immediate patching is not possible, implement network-level restrictions limiting access to SMTP ports from untrusted sources.
• Configuration review: Verify Exim configuration does not enable more dangerous exploitation variants through specific settings.

Compromise Assessment

If you are affected, assess whether systems were compromised before patching:

• User account audit: Review /etc/passwd and /etc/shadow for unauthorized accounts created after June 2019.
• SSH configuration: Check sshd_config and authorized_keys files for unauthorized modifications or added keys.
• Cron and scheduled tasks: Examine cron directories and user crontabs for suspicious entries.
• Process analysis: Identify unexpected running processes, particularly those with network connections.
• Log review: Analyze mail logs for unusual RCPT patterns that might show exploitation attempts.
• Network monitoring: Review outbound connections from mail servers for unexpected destinations.

Detection and Monitoring

Implement monitoring to detect exploitation attempts:

• SMTP traffic analysis: Monitor for malformed RCPT TO commands or unusual command patterns in SMTP sessions.
• Process monitoring: Alert on unexpected process execution on mail servers, particularly shell spawning.
• File integrity monitoring: Detect modifications to system configuration files, SSH settings, and cron entries.
• Network anomaly detection: Identify unusual outbound connections from mail servers that might show command-and-control communication.
• Authentication monitoring: Track new account creation and SSH authentication events on mail servers.

Infrastructure Hardening

Beyond patching, you should implement defense-in-depth measures:

• Network segmentation: Isolate mail servers in dedicated network segments with restricted access to internal resources.
• Minimal exposure: Limit Exim listening interfaces to necessary addresses and restrict access to management ports.
• Authentication requirements: Require SMTP authentication for relay functions and limit relay capabilities.
• Rate limiting: Implement connection and message rate limiting to slow potential exploitation.
• Logging improvement: Configure full logging and forward logs to centralized SIEM platforms.

Supply Chain Considerations

If you are affected, assess third-party exposure:

• Query managed service providers and cloud hosting vendors about their Exim deployment and patch status
• Review vendor security advisories for appliances that may use Exim internally
• Assess Docker Hub and container registry images for vulnerable Exim versions
• Include Exim vulnerability status in vendor security assessments

Summary

The NSA advisory highlights the persistent threat posed by unpatched internet-facing systems, particularly mail servers that handle sensitive communications and maintain broad network access. Organizations must focus on identification and patching of vulnerable Exim deployments while conducting compromise assessments to detect potential historical exploitation. The state-sponsored nature of observed attacks emphasizes that this vulnerability remains a high-priority target for sophisticated threat actors.

More on this topic

Further reading from our research library.

Cybersecurity · Credibility 73/100 · January 14, 2020

Oracle issues January 2020 Critical Patch Update

Oracle's first 2020 Critical Patch Update dropped with 334 fixes. If you are running WebLogic, Database, or Java SE, check the matrix—several of these are network-exploitable without authentication.

Cybersecurity · Credibility 73/100 · May 12, 2020

CISA/NSA list the top 10 exploited vulnerabilities

Want to know which CVEs attackers actually exploit? CISA, FBI, and NSA just published the top 10 from 2016-2019—and they are not exotic zero-days. Pulse Secure, Citrix ADC, SharePoint, Office flaws. Stuff that is been…

Cybersecurity · Credibility 91/100 · March 30, 2020

FBI FLASH warns of Kwampirs supply-chain intrusions

The FBI issued a FLASH alert about the Kwampirs remote-access Trojan targeting supply-chain and healthcare networks, urging organizations to hunt for indicators, tighten remote access, and segment critical systems.

Cybersecurity · Credibility 86/100 · February 24, 2020

Chrome 80 patches actively exploited V8 zero-day (CVE-2020-6418)

Google’s 24 February 2020 stable release patches CVE-2020-6418, a V8 type confusion exploited in the wild; admins must force-update Chrome, validate enterprise policies, and monitor for crash telemetry anomalies.

Cybersecurity · Credibility 73/100 · September 1, 2020

Salesforce Introduces Scoped API Access: Enhanced Security Controls for Platform Integrations

Salesforce launches scoped API access controls, enabling granular permission management for connected applications. The improvement addresses enterprise security requirements for least-privilege access in multi-tenant…

Continue in the Cybersecurity pillar

Return to the hub for curated research and deep-dive guides.

Visit pillar hub

Latest guides

• Cybersecurity Operations Playbook

  Use our research to align NIST CSF 2.0, CISA KEV deadlines, and sector mandates across threat intelligence, exposure management, and incident response teams.

• Network Security Fundamentals Explained Practically

  A practitioner-focused guide to network security fundamentals covering firewalls, segmentation, IDS/IPS, DNS security, VPNs, wireless security, zero trust architecture, and traffic…

• Small Business Cybersecurity Survival Checklist

  A budget-conscious cybersecurity checklist built specifically for small businesses. This guide covers foundational security policies, network hardening, employee training, phishing…

Coverage intelligence

Published

May 28, 2020

Coverage pillar

Cybersecurity

Source credibility

73/100 — medium confidence

Topics

Email security · Vulnerability management · Patch management · Threat intelligence

Sources cited

3 sources (media.defense.gov, csrc.nist.gov, iso.org)

Reading time

5 min

Source material

1. Russian GRU Conducting Global Brute Force Campaign to Compromise Enterprise and Cloud Environments — NSA
2. NIST Computer Security Resource Center — NIST
3. ISO/IEC 27001:2022 — Information Security Management Systems — International Organization for Standardization