Security News > 2020 > January > Critical RCE flaw in OpenSMTPD, patch available

Qualys researchers have discovered a critical vulnerability in OpenBSD's OpenSMTPD mail server, which can allow attackers to execute arbitrary shell commands on the underlying system as root.
OpenSMTPD is an open source implementation of the Simple Mail Transfer Protocol.
OpenSMTPD has also been incorporated in some of them.
The flaw has been responsibly disclosed to OpenSMTPD developers, who have released a patch for OpenBSD. A portable versions of the implementation has also been made available.
They did not say which versions of OpenSMTPD are affected, but promised to provide more details about the flaw "When things settle down".
News URL
http://feedproxy.google.com/~r/HelpNetSecurity/~3/oVbmBSCsISQ/
Related news
- Critical Veeam Backup & Replication RCE vulnerability fixed, patch ASAP! (CVE-2025-23120) (source)
- MITRE Caldera RCE vulnerability with public PoC fixed, patch ASAP! (CVE-2025–27364) (source)
- Critical PHP RCE vulnerability mass exploited in new attacks (source)
- Choose your own Patch Tuesday adventure: Start with six zero day fixes, or six critical flaws (source)
- Critical RCE flaw in Apache Tomcat actively exploited in attacks (source)
- Infoseccers criticize Veeam over critical RCE vulnerability and a failing blacklist (source)
- Veeam RCE bug lets domain users hack backup servers, patch now (source)
- Critical Ingress NGINX Controller Vulnerability Allows RCE Without Authentication (source)
- CrushFTP: Patch critical vulnerability ASAP! (CVE-2025-2825) (source)
- Still Using an Older Version of iOS or iPadOS? Update Now to Patch These Critical Security Vulnerabilities (source)