EXIM Vulnerability (CVE-2022-37452) – Summary

Non-Technical Advice

The vulnerability described on this and the following page affects various versions of the EXIM mail transfer agent up to but excluding version 4.95. If you have any of these versions of EXIM, you may be at risk of this vulnerability being exploited.

The Operation Configured team have contacted you because research indicates that your organisation or an organisation your ICT team supports may have this vulnerability and the EXIM server is exposed to the public internet. While it is possible that this information is incorrect because of the method of vulnerability identification employed by the Operation, it is important you establish for yourself whether the organisation is vulnerable. If you establish that the systems are vulnerable, there is an increased risk they will fall victim to a potentially devastating criminal cyber attack as a result.

There is another technically focused summary of this vulnerability available for ICT and other technical teams. You should use them to support you in making choices about how to approach this situation.

IMPORTANT: While SEROCU are notifying organisations of this vulnerability, the team will NOT be asking for any information or other details. They will only be providing information. Any unsolicited contact claiming to be from the Police should always be treated with caution. For more information read about Verifying Authenticity.

About this Vulnerability

In August 2022, researchers discovered this vulnerability affecting multiple versions of EXIM which potentially allows attackers to remotely execute code with root (admin) privileges. The vulnerability causes something called a ‘buffer overflow’ that allows attackers to view, modify, and delete data if exploited. From here it could allow attackers to install programs and create new privileged accounts.  Potential scenarios that may arise include denial-of-service, security breaches and data leaks.

Exim has seen an increased focus from security researchers discovering and publicly disclosing several vulnerabilities in the application since 2021, including the Qualys research team who discovered 21 vulnerabilities with Exim in 2021.  This was coined the ’21 nails’ vulnerabilities with 10 vulnerabilities being remotely exploitable by attackers.

May 2021 – 21 nails in Exim mail server: Vulnerabilities enable ‘full remote unauthenticated code execution’, millions of boxes at risk – The Register

May 2021 – Critical 21Nails Exim bugs expose millions of servers to attacks – bleepingcomputer.com

The Risk this Vulnerability poses

There are risks should you choose to ignore or accept this vulnerability remaining in your system. Criminals are known to have been scanning for vulnerable EXIM servers and using them to attack and exploit organisations. Consequences may include, but are not limited to:

  • Access to sensitive / confidential data
  • Adding unauthorised user accounts onto the server
  • Modification, deletion or theft of data
  • Theft of electricity (crypto-mining)
  • Increased degradation of affected hardware
  • Corruption of your backups
  • Using you to attack others that you work with, damaging your reputation
  • Ransomware attack against your systems
  • Fines from regulators such as the Information Commissioner’s Office (ICO)
  • Your organisation ceasing operations because of system failure, reputational damage or financial losses

Next Steps

The next steps for the organisation should be to:

  1. Verify the presence of this vulnerability in the organisation; if so:
  2. Establish if these vulnerability has already been exploited on the organisation’s systems
  3. Work with management to establish the degree of threat, potential harm and risk posed to the organisation
  4. Isolate and mitigate the risk as soon as possible
  5. Establish a plan to resolve this vulnerability and eliminate the risk
  6. Plan to improve the organisation’s cybersecurity for the future

For more information: