Security News > 2023 > October > Exim patches three of six zero-day bugs disclosed last week
Exim developers have released patches for three of the zero-days disclosed last week through Trend Micro's Zero Day Initiative, one of them allowing unauthenticated attackers to gain remote code execution.
As Exim developer Heiko Schlittermann revealed on the Open Source Security mailing list on Friday, today's fixes were already "Available in a protected repository" and "Ready to be applied by the distribution maintainers."
While tagged with a 9.8/10 severity score by the ZDI team, Exim says the successful exploitation of CVE-2023-42115-the most severe of the six zero-days disclosed by ZDI last week-is dependent on the use of external authentication on the targeted servers.
Even though 3.5 million Exim servers are exposed online, according to Shodan, this requirement drastically reduces the number of Exim mail servers potentially vulnerable to attacks.
An analysis of the six zero-days by watchTowr Labs confirms Exim's take on the severity of these zero-days as they "Require a very specific environment to be accessible."
Millions of Exim mail servers exposed to zero-day RCE attacks.
News URL
Related Vulnerability
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2024-05-03 | CVE-2023-42115 | Exim AUTH Out-Of-Bounds Write Remote Code Execution Vulnerability. | 0.0 |