Initiatives for
As the national authority for Cybersecurity the CCB has developed several initiatives for specific publics which are presented here.
WARNING: REMOTE SQL INJECTION IN EXIM (MAIL TRANSFER AGENT), PATCH IMMEDIATELY!
Image
Published : 25/02/2025
Reference:
Advisory #2025-42
Version:
1.0
Affected software:
Exim (Mail Transfer Agent - MTA) 4.98 4.9.8.1
Type:
SQL injection
CVE/CVSS:
CVE-2025-26794: CVSS 7.5 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)
Sources
https://www.exim.org/static/doc/security/CVE-2025-26794.txt
Risks
Exim, a Mail Transfer Agent (MTA), addressed a high-severity remote SQL injection vulnerability. This vulnerability can be exploited when SQLite hints & ETRN serialization are enabled, allowing a remote attacker to execute arbitrary SQL queries.
Mail Transfer Agents like Exim are high value targets due to their role in email routing. Exploiting this flaw could disrupt communication, enable botnet control, or lead to data leaks, impacting business operations and security.
Exploitation of this vulnerability can have a high impact on availability, potentially disrupting mail services.
There is no information as to active exploitation at this time (cut-off date: 24 February 2025).
Description
CVE-2025-26794 is a remote SQL injection vulnerability in Exim versions 4.98, exploitable under specific conditions. The flaw occurs when the _USE_SQLITE_ build option is enabled, allowing Exim to use SQLite for hints databases, and runtime configurations allow ETRN (acl_smtp_etrn) and enforce ETRN serialization (smtp_etrn_serialize).
Please note that exploitation requires the attacker to have remote access to an Exim MTA server with these configurations, which limits the threat surface to only Exim deployments with these specific settings enabled. Exim recommends reviewing your Exim configurations to ensure that these settings are either disabled or updated as necessary.
Recommended Actions
Patch
The Centre for Cybersecurity Belgium strongly recommends installing updates for vulnerable devices with the highest priority, after thorough testing.
Monitor/Detect
The CCB recommends organizations upscale monitoring and detection capabilities to identify any related suspicious activity, ensuring a swift response in case of an intrusion.
In case of an intrusion, you can report an incident via: https://ccb.belgium.be/cert/report-incident.
While patching appliances or software to the newest version may provide safety from future exploitation, it does not remediate historic compromise.
References