Exim Mail Transfer Vulnerability Allows Attackers to Inject Malicious SQL

A newly disclosed vulnerability in the Exim mail transfer agent (CVE-2025-26794) has sent shockwaves through the cybersecurity community, revealing a critical SQL injection flaw that enables attackers to compromise email systems and manipulate underlying databases.

 The vulnerability, confirmed in Exim Version 4.98 installations using SQLite for hints databases, represents one of the most severe email security threats identified in 2025, with potential impacts ranging from data exfiltration to complete system takeover.

Technical Breakdown of the Vulnerability

The security flaw resides in Exim’s handling of SQL queries when configured with specific build parameters and runtime settings.

Systems become vulnerable when compiled with the _USE_SQLITE_ option, which activates SQLite integration for hints database management, and when administrators enable ETRN commands without proper serialization safeguards.

Attackers exploiting this vulnerability can inject malicious SQL payloads through specially crafted email transactions, potentially gaining unauthorized access to sensitive database records containing email routing information and system metadata.

Attack Vector Analysis

Successful exploitation requires three concurrent conditions:

1. Vulnerable Exim Build: The server must run Exim 4.98 compiled with SQLite support (Hints DB: Using sqlite3 in exim -bV output)
2. ETRN Configuration: The acl_smtp_etrn setting must return ‘accept’ (default: ‘deny’)
3. Serialization Bypass: The smtp_etrn_serialize parameter must remain at its default ‘true’ value, creating race condition opportunities

This combination creates an exploitable window where attackers can execute arbitrary SQL commands through email server interactions.

Security researchers emphasize that while the default configuration provides some protection, many enterprise environments modify these settings for compatibility with legacy systems, inadvertently enabling attack pathways.

The Exim development team released patched versions within 72 hours of final confirmation, demonstrating exceptional response coordination.

Bataille’s responsible disclosure approach allowed developers to create mitigations before public revelation, minimizing potential damage.

Mitigation Strategies

Organizations using Exim must immediately:

1. Verify installation versions through exim -bV checks
2. Disable SQLite integration if not essential for operations
3. Implement strict ETRN command filtering in SMTP access control lists
4. Apply the official patch from Exim’s code repository

For systems requiring SQLite functionality, security teams should implement additional query sanitization layers and network-level monitoring for unusual database access patterns.

The Exim maintainers recommend complete migration to version 4.98.1, which contains architectural improvements to prevent similar injection vectors.

This vulnerability highlights persistent challenges in email infrastructure security, particularly in widely deployed open-source solutions.

With over 60% of internet-facing mail servers running Exim according to recent surveys, the potential attack surface remains substantial.

The incident underscores the critical importance of maintaining updated software inventories and participating in vendor security notification programs.

As Oscar Bataille noted in subsequent interviews: “This discovery reminds us that even mature, widely audited systems contain hidden risks when new features interact with legacy components”.

Free Webinar: Better SOC with Interactive Malware Sandbox for Incident Response, and Threat Hunting - Register Here