CVE-2010-4344

CRITICAL KEV

Exim < 4.70 - Remote Code Execution via Crafted SMTP Headers

Title source: llm

Exploitation Summary

CVE-2010-4344 is actively exploited and listed in the CISA Known Exploited Vulnerabilities (KEV) catalog, added March 25, 2022. EIP tracks 3 public exploits from researchers including kingcope, jduck, hdm, including a Metasploit module exploits/unix/smtp/exim4_string_format.

AI-analyzed exploit summary This exploit targets a buffer overflow vulnerability in Exim 4.63, allowing remote command execution by sending a maliciously crafted email with oversized headers. It leverages the 'spool_directory' configuration option to execute arbitrary commands with root privileges.

Description

Heap-based buffer overflow in the string_vformat function in string.c in Exim before 4.70 allows remote attackers to execute arbitrary code via an SMTP session that includes two MAIL commands in conjunction with a large message containing crafted headers, leading to improper rejection logging.

Exploits (3)

exploitdb WORKING POC VERIFIED

by kingcope · perlremotelinux

https://www.exploit-db.com/exploits/15725

View Code ZIP pw:eip

This exploit targets a buffer overflow vulnerability in Exim 4.63, allowing remote command execution by sending a maliciously crafted email with oversized headers. It leverages the 'spool_directory' configuration option to execute arbitrary commands with root privileges.

Classification

Working Poc 95%

Attack Type

Rce

Complexity

Moderate

Reliability

Reliable

Target: Exim 4.63 (RedHat/Centos/Debian)

No auth needed

Prerequisites: Network access to the Exim SMTP service (port 25) · Exim 4.63 running on a vulnerable system

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1068 - Exploitation for Privilege Escalation

devstral-2 · analyzed Feb 16, 2026 Full analysis →

metasploit WORKING POC EXCELLENT

by jduck, hdm · rubypocunix

https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/unix/smtp/exim4_string_format.rb

View Code ZIP pw:eip

This Metasploit module exploits a heap buffer overflow in Exim's 'string_vformat' function (CVE-2010-4344) by sending a crafted email message that overflows the log buffer, allowing arbitrary command execution. It also attempts privilege escalation via CVE-2010-4345 if Perl is available.

Classification

Working Poc 100%

Attack Type

Rce

Complexity

Complex

Reliability

Reliable

Target: Exim < 4.69

No auth needed

Prerequisites: Exim SMTP service accessible · Default logging configuration enabled

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1059 - Command and Scripting Interpreter T1203 - Exploitation for Client Execution

devstral-2 · analyzed Jun 05, 2026 Full analysis →

exploitdb WORKING POC

rubyremotelinux

https://www.exploit-db.com/exploits/16925

View Code ZIP pw:eip

This Metasploit module exploits a heap buffer overflow in Exim versions prior to 4.69 via the 'string_vformat' function. It sends a crafted email message to trigger the vulnerability, allowing arbitrary command execution with the privileges of the Exim daemon.

Classification

Working Poc 100%

Attack Type

Rce

Complexity

Moderate

Reliability

Reliable

Target: Exim <= 4.69

No auth needed

Prerequisites: Network access to the Exim SMTP service · Exim version <= 4.69

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1068 - Exploitation for Privilege Escalation

devstral-2 · analyzed Feb 19, 2026 Full analysis →

References (34)

Core 34

Core References

Broken Link, Third Party Advisory, VDB Entry vdb-entry x_refsource_sectrack

http://www.securitytracker.com/id?1024858

Broken Link, Vendor Advisory vdb-entry x_refsource_vupen

http://www.vupen.com/english/advisories/2010/3186

Broken Link, Third Party Advisory, VDB Entry vdb-entry x_refsource_bid

http://www.securityfocus.com/bid/45308

Third Party Advisory, US Government Resource

https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2010-4344

Mailing List, Third Party Advisory vendor-advisory x_refsource_suse

http://lists.opensuse.org/opensuse-security-announce/2010-12/msg00003.html

Exploit, Mailing List mailing-list x_refsource_mlist

http://www.exim.org/lurker/message/20101207.215955.bb32d4f2.en.html

Issue Tracking, Patch x_refsource_confirm

http://bugs.exim.org/show_bug.cgi?id=787

Broken Link vendor-advisory x_refsource_redhat

http://www.redhat.com/support/errata/RHSA-2010-0970.html

Third Party Advisory x_refsource_misc

http://www.metasploit.com/modules/exploit/unix/smtp/exim4_string_format

Broken Link x_refsource_confirm

http://atmail.com/blog/2010/atmail-6204-now-available/

Broken Link, Vendor Advisory third-party-advisory x_refsource_secunia

http://secunia.com/advisories/42576

Broken Link, Vendor Advisory third-party-advisory x_refsource_secunia

http://secunia.com/advisories/42587

Exploit, Issue Tracking x_refsource_confirm

https://bugzilla.redhat.com/show_bug.cgi?id=661756

Mailing List, Patch mailing-list x_refsource_mlist

http://lists.exim.org/lurker/message/20101210.164935.385e04d0.en.html

Broken Link, Vendor Advisory third-party-advisory x_refsource_secunia

http://secunia.com/advisories/40019

Broken Link, Vendor Advisory vdb-entry x_refsource_vupen

http://www.vupen.com/english/advisories/2010/3172

Third Party Advisory, US Government Resource third-party-advisory x_refsource_cert-vn

http://www.kb.cert.org/vuls/id/682457

Broken Link, Vendor Advisory vdb-entry x_refsource_vupen

http://www.vupen.com/english/advisories/2010/3181

Broken Link, Vendor Advisory third-party-advisory x_refsource_secunia

http://secunia.com/advisories/42586

Broken Link vdb-entry x_refsource_vupen

http://www.vupen.com/english/advisories/2010/3317

Third Party Advisory vendor-advisory x_refsource_ubuntu

http://www.ubuntu.com/usn/USN-1032-1

Broken Link x_refsource_confirm

http://www.cpanel.net/2010/12/exim-remote-memory-corruption-vulnerability-notification-cve-2010-4344.html

Broken Link, Exploit, Patch vdb-entry x_refsource_osvdb

http://www.osvdb.org/69685

Broken Link, Third Party Advisory, VDB Entry mailing-list x_refsource_bugtraq

http://www.securityfocus.com/archive/1/515172/100/0/threaded

Press/Media Coverage x_refsource_misc

http://www.theregister.co.uk/2010/12/11/exim_code_execution_peril/

Broken Link, Vendor Advisory vdb-entry x_refsource_vupen

http://www.vupen.com/english/advisories/2010/3246

Broken Link x_refsource_confirm

ftp://ftp.exim.org/pub/exim/ChangeLogs/ChangeLog-4.70

Broken Link, Vendor Advisory vdb-entry x_refsource_vupen

http://www.vupen.com/english/advisories/2010/3204

Mailing List, Patch x_refsource_confirm

http://git.exim.org/exim.git/commit/24c929a27415c7cfc7126c47e4cad39acf3efa6b

Mailing List, Third Party Advisory vendor-advisory x_refsource_debian

http://www.debian.org/security/2010/dsa-2131

Broken Link, Vendor Advisory vdb-entry x_refsource_vupen

http://www.vupen.com/english/advisories/2010/3171

Broken Link, Vendor Advisory third-party-advisory x_refsource_secunia

http://secunia.com/advisories/42589

Mailing List, Third Party Advisory mailing-list x_refsource_mlist

http://openwall.com/lists/oss-security/2010/12/10/1

Exploit, Mailing List mailing-list x_refsource_mlist

http://www.openwall.com/lists/oss-security/2021/05/04/7

Scores

CVSS v3 9.8

EPSS 0.5187

EPSS Percentile 98.0%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment

Exploitation active

Automatable yes

Technical Impact total

Details

CISA KEV 2022-03-25

VulnCheck KEV 2010-12-10

InTheWild.io 2022-03-25

ENISA EUVD EUVD-2010-4313

CWE

CWE-787

Status published

Products (8)

canonical/ubuntu_linux 6.06

canonical/ubuntu_linux 8.04

canonical/ubuntu_linux 9.10

debian/debian_linux 5.0

exim/exim < 4.70

opensuse/opensuse 11.1

opensuse/opensuse 11.2

opensuse/opensuse 11.3

Published Dec 14, 2010

KEV Added Mar 25, 2022

Tracked Since Feb 18, 2026