Software crashes. Data corruption. Code command execution on vulnerable servers. That’s a taste of what organizations can expect if a critical zero-day vulnerability in Exim mail transfer agent (MTA) software is exploited.

The flaw (CVE-2023-42115) revealed by Trend Micro’s Zero Day Initiative (ZDI) is found in all versions of Exim, according to an advisory. That means millions of Exim servers could be impacted.

“This vulnerability allows remote attackers to execute arbitrary code on affected installations of Exim. Authentication is not required to exploit this vulnerability,” the advisory said.

“The specific flaw exists within the smtp service, which listens on TCP port 25 by default,” it noted. “The issue results from the lack of proper validation of user-supplied data, which can result in a write past the end of a buffer. An attacker can leverage this vulnerability to execute code in the context of the service account.”

The vulnerability, like a handful of other Exim bugs, remains unpatched. But ZDI advised that “given the nature of the vulnerability, the only salient mitigation strategy is to restrict interaction with the application.”

The flaw is not surprising. “Exim has been on the CISA Known Exploited Vulnerabilities catalog before; clearly malicious hackers are returning to Exim because of previous (perhaps slow or ineffective) responses,” said John Gallagher, vice president of Viakoo Labs.

In revealing the vulnerability, a Bleeping Computer report cited a survey that figured Exim can be found on well over half (56%) of the more than 600,000 email servers that can be accessed via the internet.

The report also noted that a Shodan search showed that 3.5 million Exim servers, mostly in the U.S., Russia and Germany are exposed online.

“Exim is something of a right of passage for a lot of Linux sys admins. This is a significant set of vulnerabilities that could have quite broad implications,” said Andrew Barratt, vice president at Coalfire.

“As mail servers are typically open ports up directly to the internet–these can be rapidly discovered–and with remote code execution at play, we might see huge amounts of automated attacks from the initial access brokers looking to wholesale sell these on the criminal markets,” said Barratt.

The latest vulnerability raised immediate concern among security pros. “Mail servers are inherently public facing, which means these vulnerabilities are extremely concerning, especially the RCE ones,” said John Bambenek, principal threat hunter at Netenrich. “Organizations can’t shut down their email servers, so they should prioritize patching immediately as widespread exploitation will probably begin in a day or two.”

Gallagher urged that “these vulnerabilities should be considered highly exploitable; they are public, Exim has been slow to release patches, devices can be found through a Shodan search, and many organizations will have to implement the patch.”

He believes that “with many open source projects the users are not always IT; it’s likely that the patching of Exim products will be slow because many non-IT organizations will be managing these products.”