Security researchers have uncovered a critical SQL injection vulnerability (CVE-2025-26794) in Exim, the widely-used mail transfer agent (MTA) that powers over 60% of internet mail servers.
The flaw enables authenticated attackers to execute arbitrary SQL commands through specially crafted ETRN SMTP transactions when specific configuration conditions exist.
The vulnerability was reported through responsible disclosure channels on February 8, 2025, by security researcher Oscar Bataille.
Exim Mail Transfer Vulnerability
The vulnerability highlights critical challenges in mail server configuration security, particularly regarding the interaction between SMTP extensions (ETRN/RFC 1985) and database backends.
The vulnerability manifests in Exim 4.98 installations meeting three specific criteria:
- SQLite Integration: Compiled with _USE_SQLITE_ build flag, visible in exim -bV output under “Hints DB: Using sqlite3”.
- ETRN Configuration: acl_smtp_etrn set to accept (default: deny) in runtime configuration.
- Serialization Enabled: smtp_etrn_serialize = true (default setting).
Attack vectors leverage the ETRN command’s serialization mechanism, which improperly sanitizes SQL queries when storing transaction metadata.
A proof-of-concept exploit might utilize SMTP session manipulation:
This injection pattern could compromise SQLite databases containing delivery hints, sender verify records, and TLS session cache data.
Impact Analysis and Mitigation Strategies
Successful exploitation enables:
- Arbitrary SQL execution (INSERT/UPDATE/DELETE)
- Database schema manipulation via DDL commands
- Potential privilege escalation through SQLite’s LOAD_EXTENSION capability
Exim maintainers have released patched versions through standard update channels. System administrators must:
- Verify installation status using exim -bV | grep ‘Exim version’
- Check SQLite usage with grep ‘Using sqlite3’ <(exim -bV)
Apply security updates immediately via OS package managers or source compilation from code.exim.org
As of patch deployment, no active exploits have been observed in the wild, but the relative ease of exploitation suggests rapid weaponization is likely.
All organizations using Exim for mail routing should prioritize this update, particularly those handling sensitive communications or operating in regulated industries.
Free Webinar: Better SOC with Interactive Malware Sandbox for Incident Response and Threat Hunting – Register Here