External risk intelligence

Exim mail servers can be remotely hijacked to run any code.

CVE advisorySeverity: CRITICAL (CVSS 9.8)

CVE-2026-45185

Exim mail servers have a critical flaw that allows attackers to take complete control of your systems without needing any login. This serious vulnerability affects how Exim handles certain email transfers, making it a prime target for immediate attention.

5Halo Surface Signal

Use After Free

Exim

4.97 to before 4.99.3

External exposure likelihood

Halo Surface Signal score for CVE-2026-45185

Exim is a widely deployed Mail Transfer Agent (MTA). MTAs are intentionally public-facing services designed to accept and process email traffic directly from the internet, making them inherently exposed to the public network by default in normal deployments.

PCI scan relevance

PCI Relevance for CVE-2026-45185

Yes

CVE-2026-45185 — Halo PCI Relevance: Yes. Under typical PCI ASV external scan criteria, this issue may be flagged for scan prioritization.

This critical vulnerability in Exim allows remote code execution, posing a significant security risk that is relevant to PCI compliance scans.

Scan-prioritization guidance only—not a PCI DSS certification or ASV attestation.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Horizon Alert

Summary of the vulnerability and why it matters

This vulnerability in Exim, a mail server software, allows an unauthenticated attacker to execute arbitrary code. It stems from how the software handles specific TLS configurations and data transfers, potentially leading to memory corruption that can be exploited over the network.

  • Network attackers can exploit this.
  • It could lead to complete system compromise.
  • This is a critical vulnerability.

Attack Path

How an attacker could exploit the issue

An unauthenticated network attacker can trigger a use-after-free in Exim's BDAT body parsing when GnuTLS is configured. This happens by sending a specific sequence of TLS and cleartext messages during a CHUNKING transfer, leading to heap corruption and potential arbitrary code execution.

  • Network access required.
  • Targeted vulnerable Exim TLS configurations.
  • Client sends TLS close_notify mid-body.

Live Threat

Current exploitation, exposure, and threat context

This vulnerability is likely to be weaponized because Exim is a common mail server, and this flaw allows for unauthenticated remote code execution. Attackers favor such vulnerabilities as they grant direct control over critical infrastructure with minimal effort.

  • Public exploit code is available.
  • Vendor notes recent security disclosures.
  • Exploitation is possible over the network.

Priority actions

Operational Fix

Recommended remediation, mitigation, and detection steps

Prioritize immediate patching of Exim to version 4.99.3 or later to address the critical use-after-free vulnerability. If immediate patching is not feasible, isolate affected Exim servers from untrusted networks or implement strict firewall rules to block all incoming traffic on the SMTP port (25) until mitigation can be applied. Monitor logs for any signs of exploitation attempts or unusual activity on affected systems.

  • Patch Exim to 4.99.3+.
  • Isolate or firewall affected systems.
  • Monitor for exploitation.

Frequently asked questions

What is Exim and what is its role in email systems?

Exim is a mail transfer agent (MTA) used for sending and receiving emails between servers. It's a critical piece of infrastructure for managing email traffic for various organizations and internet service providers, facilitating communication across networks.

What type of weakness does CVE-2026-45185 represent in Exim?

CVE-2026-45185 is a use-after-free vulnerability, classified under CWE-416. This means Exim incorrectly continues to use memory after it has been freed, which can lead to heap corruption and enable attackers to potentially execute arbitrary code on the system.

How is the Exim vulnerability triggered and what is the scope of impact?

The vulnerability is triggered when a client sends a TLS close_notify notification mid-body during a CHUNKING transfer, followed by a cleartext byte on the same TCP connection, specifically when Exim is configured with certain GnuTLS settings. This can lead to heap corruption and allows for arbitrary code execution by an unauthenticated network attacker.

What is the significance of the Halo Surface Signal score for this Exim vulnerability?

The Halo Surface Signal score of 5, labeled 'Very likely', indicates that this Exim vulnerability is highly probable to be exploited. This is because Exim is a widely deployed mail transfer agent that is intentionally exposed to the public internet in typical configurations, making it an attractive target.

What is the recommended action to mitigate the Exim vulnerability CVE-2026-45185?

The primary mitigation is to update Exim to version 4.99.3 or later. If immediate patching is not possible, affected servers should be isolated from untrusted networks or have their SMTP ports firewalled until the update can be applied. Continuous monitoring for exploitation attempts is also advised.

References

Sources and related resources

Primary sources: NVD, CVE.org.

NVDPublished Modified