Vulnerability in Exim email server exploited in data breaches

Alert1/2019

A vulnerability has been discovered in Exim email server, which allows attackers to execute commands in the vulnerable system. The NCSC-FI has received several reports on data breaches in Finland where attackers have penetrated systems using the Exim vulnerability. The vulnerability is being actively exploited in other countries, too. In the incidents reported to the NCSC-FI, the attacker has hacked cPanel systems exploiting the vulnerability in Exim email server bundled with the cPanel software.

In connection with the data breaches, the attacker has installed a backdoor on the server for a later entry.

The attacker also installs a cryptocurrency-mining malware on the target system.

Target group of the alert

Exim server administrators.

cPanel server administrators.

Possible solutions and restrictive measures

Update vulnerable Exim server software immediately. 

Update vulnerable cPanel server software immediately.

Check that there are no backdoors or additional SSH keys installed on the server.

 

More Information

 

Update history

English translation published.