Exim Use-After-Free Vulnerability Enables Privilege Escalation

A significant security threat has been uncovered in Exim, a popular open-source mail transfer agent (MTA) widely used in Linux distributions.

Identified as CVE-2025-30232, this vulnerability allows for a potentially severe form of exploitation known as a use-after-free (UAF). This type of bug can lead to privilege escalation, posing substantial risks for administrators and users alike.

Timeline of Events

The discovery and response to this vulnerability have been swift and coordinated:

• 2025/03/13: The vulnerability was first reported by Trend Micro, demonstrating their commitment to responsible disclosure.
• 2025/03/18: Acknowledgment of the report was sent to the reporting party.
• 2025/03/19: A CVE ID was assigned, and notifications were sent to distribution maintainers via the OpenWall mailing lists and exim-maintainers to ensure prompt action.
• 2025/03/21: A security release was made available exclusively for distribution maintainers to update their packages.
• 2025/03/25: Public notification was issued to inform users of the vulnerability.
• 2025/03/26: The security patches were made publicly available on Exim’s Git repository.

Vulnerability Details

The vulnerability specifically affects Exim versions 4.96, 4.97, 4.98, and 4.98.1. To be vulnerable, two conditions must be met:

1. Exim Version: The system must be running one of the specified vulnerable versions.
2. Command-Line Access: The attacker must have command-line access to the server.

This UAF vulnerability can potentially allow an attacker to escalate privileges, which means gaining higher levels of access or control over the system than initially granted.

Such a scenario is particularly dangerous as it could lead to unauthorized data access, system compromise, or even the deployment of malware.

According to Exim, Trend Micro is credited with discovering and responsibly reporting this issue (Ref: ZDI-CAN-26250). Their diligence has helped prevent potential misuse and ensured timely patches were developed.

To mitigate this risk, all users of affected Exim versions are advised to update to the latest secure version as soon as possible.

Distribution maintainers have already received security releases, which should be propagated through regular package updates.

CVE-2025-30232 is a serious use-after-free vulnerability in Exim that could be exploited for privilege escalation. Prompt action is essential to protect against this threat.

Users should look for updates in their system’s package manager and apply them at the earliest opportunity.

Are you from SOC/DFIR Teams? – Analyse Malware, Phishing Incidents & get live Access with ANY.RUN -> Start Now for Free.