CVE-2010-4345

HIGH KEV

Exim4 string_format Function Heap Buffer Overflow

Title source: metasploit
STIX 2.1

Exploitation Summary

CVE-2010-4345 is actively exploited and listed in the CISA Known Exploited Vulnerabilities (KEV) catalog, added March 25, 2022. EIP tracks 2 public exploits from researchers including Metasploit, jduck, hdm, including a Metasploit module exploits/unix/smtp/exim4_string_format.

AI-analyzed exploit summary This Metasploit module exploits a heap buffer overflow in Exim versions prior to 4.69 via a crafted email message, leading to remote code execution. It also attempts local privilege escalation via CVE-2010-4345 if Perl is available.

Description

Exim 4.72 and earlier allows local users to gain privileges by leveraging the ability of the exim user account to specify an alternate configuration file with a directive that contains arbitrary commands, as demonstrated by the spool_directory directive.

Exploits (2)

exploitdb WORKING POC VERIFIED
by Metasploit · rubyremotelinux
https://www.exploit-db.com/exploits/16925

This Metasploit module exploits a heap buffer overflow in Exim versions prior to 4.69 via a crafted email message, leading to remote code execution. It also attempts local privilege escalation via CVE-2010-4345 if Perl is available.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Complex
Reliability
Reliable
Target: Exim <= 4.69
No auth needed
Prerequisites: Exim SMTP service accessible · Log rejection headers enabled (default) · Perl installed for privilege escalation
devstral-2 · analyzed Feb 16, 2026 Full analysis →
metasploit WORKING POC EXCELLENT
by jduck, hdm · rubypocunix
https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/unix/smtp/exim4_string_format.rb

This Metasploit module exploits a heap buffer overflow in Exim (CVE-2010-4344) by sending a crafted email message to corrupt heap memory and execute arbitrary commands. It also attempts local privilege escalation via CVE-2010-4345 if Perl is available.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Complex
Reliability
Reliable
Target: Exim < 4.69
No auth needed
Prerequisites: Network access to Exim SMTP port · Exim version < 4.69 · Default logging configuration enabled
devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (29)

Core 29
Core References
Broken Link third-party-advisory x_refsource_secunia
http://secunia.com/advisories/43128
Mailing List, Third Party Advisory vendor-advisory x_refsource_suse
http://lists.opensuse.org/opensuse-security-announce/2010-12/msg00003.html
Mailing List, Patch mailing-list x_refsource_mlist
http://lists.exim.org/lurker/message/20101209.172233.abcba158.en.html
Third Party Advisory, US Government Resource third-party-advisory x_refsource_cert-vn
http://www.kb.cert.org/vuls/id/758489
Mailing List, Vendor Advisory mailing-list x_refsource_mlist
http://www.exim.org/lurker/message/20101207.215955.bb32d4f2.en.html
Issue Tracking, Patch x_refsource_confirm
https://bugzilla.redhat.com/show_bug.cgi?id=662012
Broken Link vdb-entry x_refsource_vupen
http://www.vupen.com/english/advisories/2011/0364
Broken Link vendor-advisory x_refsource_redhat
http://www.redhat.com/support/errata/RHSA-2011-0153.html
Broken Link, Third Party Advisory, VDB Entry vdb-entry x_refsource_bid
http://www.securityfocus.com/bid/45341
Broken Link third-party-advisory x_refsource_secunia
http://secunia.com/advisories/42930
Broken Link, Vendor Advisory third-party-advisory x_refsource_secunia
http://secunia.com/advisories/42576
Broken Link third-party-advisory x_refsource_secunia
http://secunia.com/advisories/43243
Broken Link, Third Party Advisory, VDB Entry vdb-entry x_refsource_sectrack
http://www.securitytracker.com/id?1024859
Mailing List mailing-list x_refsource_mlist
http://lists.exim.org/lurker/message/20101210.164935.385e04d0.en.html
Mailing List, Third Party Advisory vendor-advisory x_refsource_debian
http://www.debian.org/security/2011/dsa-2154
Broken Link, Third Party Advisory, VDB Entry mailing-list x_refsource_bugtraq
http://www.securityfocus.com/archive/1/515172/100/0/threaded
Press/Media Coverage, Third Party Advisory x_refsource_misc
http://www.theregister.co.uk/2010/12/11/exim_code_execution_peril/
Broken Link vdb-entry x_refsource_vupen
http://www.vupen.com/english/advisories/2011/0245
Broken Link vdb-entry x_refsource_vupen
http://www.vupen.com/english/advisories/2011/0135
Third Party Advisory vendor-advisory x_refsource_ubuntu
http://www.ubuntu.com/usn/USN-1060-1
Broken Link, Vendor Advisory vdb-entry x_refsource_vupen
http://www.vupen.com/english/advisories/2010/3204
Issue Tracking, Patch x_refsource_confirm
http://bugs.exim.org/show_bug.cgi?id=1044
Mailing List, Third Party Advisory vendor-advisory x_refsource_debian
http://www.debian.org/security/2010/dsa-2131
Broken Link, Vendor Advisory vdb-entry x_refsource_vupen
http://www.vupen.com/english/advisories/2010/3171
Mailing List mailing-list x_refsource_mlist
http://openwall.com/lists/oss-security/2010/12/10/1
Mailing List mailing-list x_refsource_mlist
http://www.openwall.com/lists/oss-security/2021/05/04/7

Scores

CVSS v3 7.8
EPSS 0.0651
EPSS Percentile 91.4%
Attack Vector LOCAL
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment
Exploitation active
Automatable no
Technical Impact total

Details

CISA KEV 2022-03-25
VulnCheck KEV 2010-12-10
InTheWild.io 2022-03-25
ENISA EUVD EUVD-2010-4314
CWE
CWE-77
Status published
Products (10)
canonical/ubuntu_linux 6.06
canonical/ubuntu_linux 8.04
canonical/ubuntu_linux 9.10
canonical/ubuntu_linux 10.04
canonical/ubuntu_linux 10.10
debian/debian_linux 5.0
exim/exim < 4.72
opensuse/opensuse 11.1
opensuse/opensuse 11.2
opensuse/opensuse 11.3
Published Dec 14, 2010
KEV Added Mar 25, 2022
Tracked Since Feb 18, 2026