Millions of unpatched Exim mail servers are now under active attack

Cybercriminals are now actively attacking mail servers that use Exim for their work to exploit a vulnerability recently discovered in software.

As of June 2019, Exim was set at nearly 57% (507,389) of all mail servers that were visible on the Internet (according to some data, in fact, the number of Exim installations exceeds this figure by ten times and consisted 5.4 million).

As Trojan-Killer wrote: 57% of mail-servers have critical vulnerability

This is a CVE-2019-10149 vulnerability, also known as “Return of the WIZard”, which affects Exim versions from 4.87 to 4.91. The vulnerability allows a remote/local attacker to launch commands on the mail server with superuser privileges.

According to explorer Freddie Leeman, the first wave of attacks began on June 9th.

Freddie Leeman
Freddie Leeman

“During the campaign, a certain hacker group began attacking mail servers from the C & C server located on the Internet, and in the following days began experimenting with operating methods, changing the type of malware and scripts downloaded to infected servers”, – reported on the incident Freddie Leeman.

At nearly the same time, was recorded another wave of attacks, organized by another group. According to IB experts, this campaign is more complex than the one described above and continues to evolve.

Magni R. Sigurðsson
Magni R. Sigurðsson

“The immediate objective of the current attack is to create a backdoor into the MTA servers by downloading a shell script that adds an SSH key to the root account,” – Magni R. Sigurðsson, a security researcher from Cyren told

The script itself located on a server of Tor network, making it almost impossible to find out its origin. Most hackers attack systems based on Red Hat Enterprise Linux (RHEL), Debian, openSUSE and Alpine Linux OSs.

According to information security specialists, the second campaign also uses a worm to spread the infection to other mail servers.

In addition to the backdoor, the attackers download cryptocurrency mining programs to the compromised servers.

To protect against attacks, owners of vulnerable servers are highly recommended to upgrade to the new version of Exim – 4.92.


About Trojan Killer

Carry Trojan Killer Portable on your memory stick. Be sure that you’re able to help your PC resist any cyber threats wherever you go.

Check Also

MageCart on the Heroku Cloud Platform

Researchers Found Several MageCart Web Skimmers On Heroku Cloud Platform

Researchers at Malwarebytes reported about finding several MageCart web skimmers on the Heroku cloud platform …

Android Spyware CallerSpy

CallerSpy spyware masks as an Android chat application

Trend Micro experts discovered the malware CallerSpy, which masks as an Android chat application and, …

Leave a Reply