EXIM Vulnerability (CVE-2019-13917) – Summary

Non-Technical Advice

The vulnerability described on this and the following page affects various versions of the EXIM mail transfer agent (4.85 – 4.92). If you have any of these versions of EXIM in a non-default configuration, you may be at risk of this vulnerability being exploited.

The Operation Configured team have contacted you because research indicates that your organisation may have this vulnerability and it is exposed to the public internet. While it is possible that this information is incorrect because of the method of vulnerability identification employed by the Operation, it is important you establish for yourself whether your organisation is vulnerable. If you establish that your systems are vulnerable, there is an increased risk you will fall victim to a potentially devastating criminal cyber attack.

There is another technically focused summary of this vulnerability available for ICT and other technical teams. You should use them to support you in making choices about how to approach this situation.

IMPORTANT: While SEROCU are notifying organisations of this vulnerability, the team will NOT be asking for any information or other details. They will only be providing information. Any unsolicited contact claiming to be from the Police should always be treated with caution. For more information read about Verifying Authenticity.

About this Vulnerability

In July 2019, researchers discovered this vulnerability affecting certain versions of EXIM with non-default configurations, which allows criminals to remotely gain full access to these systems with administrative privileges (system / root) and also conduct denial of service attacks. 

Criminals can install programs of their choice depending on their objectives, modify / delete data or email settings and even create new accounts.  There is also the risk that this could enable further potential vulnerabilities to be exploited and allow the criminals to move laterally within enterprise networks and gain more access to systems, services and data.

It has also been reported that a similar vulnerability in Exim (CVE-2019-10149) reported in May 2019 had been exploited globally after just one week of the vulnerability being publicly disclosed.  The common objective being to install ‘crypto-jacking’/’crypto-mining’ code on the Exim servers.  The Russian military have been reportedly to have been exploiting this vulnerability since at least August 2019.

Crypto-jacking effectively uses your computer power and electricity in efforts to generate criminals their own cryptocurrency.  This effectively decreases the speed and efficiency of your network and reduces the operational time these servers work before developing a fault.

The Risk this Vulnerability poses

There are significant risks should you choose to ignore or accept this vulnerability remaining in your system. Criminals are known to have been scanning for vulnerable EXIM servers and using them to attack and exploit organisations. Consequences may include, but are not limited to:

  • Access to sensitive / confidential data
  • Adding unauthorised user accounts onto the server
  • Modification, deletion or theft of data
  • Theft of electricity (crypto-mining)
  • Increased degradation of affected hardware
  • Corruption of your backups
  • Denial of services
  • Using you to attack others that you work with, damaging your reputation
  • Ransomware attack against your systems
  • Fines from regulators such as the Information Commissioner’s Office (ICO)
  • Your organisation ceasing operations because of system failure, reputational damage or financial losses

News Reporting of Exploitation of EXIM Vulnerability

The exploitation of EXIM vulnerability (CVE-2019-13917) was reported as exposing servers to denial of service attacks and remote code executions by criminals:

September 2019 – New Exim Vulnerability Exposes Servers to DoS Attacks, RCE Risks (bleepingcomputer.com)

The exploitation of a similar EXIM vulnerability (CVE-2019-10149) made the headlines:

June 2019 – Millions of Exim Mail Servers Are Currently Being Attacked (bleepingcomputer.com)

June 2020 – NSA Sandworm Hacking Advisory Unlikely to Stall Russian Crew – MSSP Alert

Next Steps

The next steps for your organisation should be to:

  1. Verify the presence of this vulnerability in your organisation; if so:
  2. Establish if this vulnerability has already been exploited on your systems
  3. Work with your ICT team or provider to establish the degree of threat, potential harm and risk posed to your organisation
  4. Isolate and mitigate the risk as soon as possible
  5. Establish a plan to resolve this vulnerability and eliminate the risk
  6. Plan to improve your cybersecurity for the future

For more information: