EXIM Vulnerability (CVE-2019-13917)

The vulnerability described on this and the following pages affects various Exim products between versions Exim 4.87 – 4.91. If you use EXIM between 4.85 – 4.92) as a Mail Transfer Agent, you may be at risk of these vulnerabilities.

  • You are encouraged to read the following information if the Operation Configured team have informed you that your organisation may have this vulnerability and as a result be at greater risk of criminal cyber-attacks. The following pages will give you an indication of the risk these pose, possible consequences of ignoring this risk and point you towards confirming and solving the problem leading to this risk. The guidance that follows is split into non-technical and technical content, which you can choose based on your level of knowledge and understanding.

IMPORTANT: While SEROCU are notifying organisations of this vulnerability, the team will NOT be asking for any information or other details. They will only be providing information. Any unsolicited contact claiming to be from the Police should always be treated with caution. For more information read about Verifying Authenticity.

This vulnerability has been assigned a unique verifiable reference number (CVE) which allows you to easily find more information about it from other sources, verifying the reference number using a simple web search.

The majority of vulnerabilities are scored using a common scoring framework, known as the Common Vulnerability Scoring System (CVSS) which base the scoring on various metrics, including the impact. This allows organisations to easily compare risks posed by different vulnerabilities. The CVSS score for this vulnerability (CVE-2021-13917) is 9.8 out of 10. This translates to a potentially critical degree of risk.

This vulnerability has been actively exploited by cyber criminals, causing significant damage and financial losses to organisations around the world of all sizes, as illustrated by being on the USA’s Cybersecurity Infrastructure & Security Agency (CISA) catalogue as one of the many exploited vulnerabilities :


If you have this vulnerability, fixing it as soon as possible is essential to protecting your organisation. The cost of fixing this is almost certainly less than the costs and losses incurred by a criminal cyber attack.

There are two routes of further advice provided on our website which you can follow depending on your degree of technical ability and/or role.