Vulnerability in Exim email server exploited in data breaches
A vulnerability has been discovered in Exim email server, which allows attackers to execute commands in the vulnerable system. The NCSC-FI has received several reports on data breaches in Finland where attackers have penetrated systems using the Exim vulnerability. The vulnerability is being actively exploited in other countries, too. In the incidents reported to the NCSC-FI, the attacker has hacked cPanel systems exploiting the vulnerability in Exim email server bundled with the cPanel software.
In connection with the data breaches, the attacker has installed a backdoor on the server for a later entry.
The attacker also installs a cryptocurrency-mining malware on the target system.
Target group of the alert
Exim server administrators.
cPanel server administrators.
Possible solutions and restrictive measures
Update vulnerable Exim server software immediately.
Update vulnerable cPanel server software immediately.
Check that there are no backdoors or additional SSH keys installed on the server.
- Exim-sähköpostipalvelimen haavoittuvuutta käytetään aktiivisesti hyväksi (Vulnerability 12/2019 10.6.2019) (in Finnish)
- Useita Exim-sähköpostiohjelmistoa käyttäviä palvelimia murrettu Suomessa (Information security now! 10.6.2019) (in Finnish)
- CVE-2019-10149: Critical Remote Command Execution Vulnerability Discovered In Exim (External link) (6.6.2019)
- Exim CVE-2019-10149, how to protect yourself (External link) (6.6.2019)
English translation published.