Security News > 2020 > June > Several Exim Vulnerabilities Exploited in Russia-Linked Attacks
Several vulnerabilities affecting the Exim mail transfer agent have been exploited by Russia-linked hackers, and administrators have been urged to patch immediately, but hundreds of thousands of servers remain unpatched.
The U.S. National Security Agency issued an alert last week to urge users to update their Exim servers to version 4.93 or newer, as earlier versions are impacted by vulnerabilities that have been exploited by a hacker group with ties to the Russian military.
Threat intelligence company RiskIQ says there are two other Exim vulnerabilities that have been exploited in the same campaign: CVE-2019-15846, a remote code execution vulnerability patched in September 2019 that impacts version 4.92.1 and earlier, and CVE-2019-16928, a DoS and code execution vulnerability affecting versions 4.92 through 4.92.2.
While a majority are running Exim 4.92, which patches CVE-2019-10149, the other two vulnerabilities still expose servers to attacks, which is likely why the NSA has advised users to update to version 4.93.
The threat group exploiting these vulnerabilities is tracked as Sandworm and TeleBots, and it has been linked to Russia's General Staff Main Intelligence Directorate.
News URL
Related Vulnerability
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2019-09-27 | CVE-2019-16928 | Out-of-bounds Write vulnerability in multiple products Exim 4.92 through 4.92.2 allows remote code execution, a different vulnerability than CVE-2019-15846. | 9.8 |
| 2019-09-06 | CVE-2019-15846 | Exim before 4.92.2 allows remote attackers to execute arbitrary code as root via a trailing backslash. | 9.8 |
| 2019-06-05 | CVE-2019-10149 | OS Command Injection vulnerability in multiple products A flaw was found in Exim versions 4.87 to 4.91 (inclusive). | 9.8 |