CVE-2018-6789

CRITICAL KEV RANSOMWARE

Exim < 4.90.1 - Remote Code Execution via base64d Buffer Overflow

Title source: llm

Exploitation Summary

CVE-2018-6789 is actively exploited and listed in the CISA Known Exploited Vulnerabilities (KEV) catalog, added November 3, 2021, with confirmed use in ransomware campaigns. EIP tracks 7 public exploits from researchers including hackk.gr, straight_blast, martinclauss.

AI-analyzed exploit summary This exploit targets a buffer overflow vulnerability in Exim versions prior to 4.90, allowing remote code execution via crafted AUTH PLAIN commands. The PoC manipulates memory to achieve arbitrary code execution by overwriting specific bytes.

Description

An issue was discovered in the base64d function in the SMTP listener in Exim before 4.90.1. By sending a handcrafted message, a buffer overflow may happen. This can be used to execute code remotely.

Exploits (7)

exploitdb WORKING POC

by hackk.gr · pythonremotelinux

https://www.exploit-db.com/exploits/45671

View Code ZIP pw:eip

This exploit targets a buffer overflow vulnerability in Exim versions prior to 4.90, allowing remote code execution via crafted AUTH PLAIN commands. The PoC manipulates memory to achieve arbitrary code execution by overwriting specific bytes.

Classification

Working Poc 95%

Attack Type

Rce

Complexity

Complex

Reliability

Reliable

Target: Exim < 4.90

No auth needed

Prerequisites: Network access to the Exim SMTP port (25) · Exim version < 4.90

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1203 - Exploitation for Client Execution

devstral-2 · analyzed Feb 16, 2026 Full analysis →

exploitdb WORKING POC

by straight_blast · pythonremotelinux

https://www.exploit-db.com/exploits/44571

View Code ZIP pw:eip

This exploit targets CVE-2018-6789, a heap-based buffer overflow in Exim. It leverages memory corruption to overwrite critical structures and achieve remote code execution via a reverse shell.

Classification

Working Poc 95%

Attack Type

Rce

Complexity

Complex

Reliability

Reliable

Target: Exim (version not specified in code)

No auth needed

Prerequisites: Network access to Exim SMTP service (port 25) · Exim version vulnerable to CVE-2018-6789

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1059 - Command and Scripting Interpreter

devstral-2 · analyzed Feb 16, 2026 Full analysis →

nomisec WORKING POC 10 stars

by martinclauss · dos

https://github.com/martinclauss/exim-rce-cve-2018-6789

View Code ZIP pw:eip

This repository provides a comprehensive learning environment for CVE-2018-6789, an Exim RCE vulnerability, including debugging tools, exploit scripts, and a Docker-based setup for analysis.

Classification

Working Poc 95%

Attack Type

Rce

Complexity

Complex

Reliability

Reliable

Target: Exim (version 4.89 and earlier)

No auth needed

Prerequisites: Vagrant · Docker · Exim source code

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1203 - Exploitation for Client Execution

devstral-2 · analyzed Feb 16, 2026 Full analysis →

nomisec WORKING POC 9 stars

by synacktiv · remote

https://github.com/synacktiv/Exim-CVE-2018-6789

View Code ZIP pw:eip

This is a functional exploit for CVE-2018-6789, a heap-based buffer overflow in Exim. The PoC leverages an off-by-one vulnerability to achieve remote code execution by manipulating memory chunks and executing a shellcode payload via a reverse shell.

Classification

Working Poc 95%

Attack Type

Rce

Complexity

Complex

Reliability

Reliable

Target: Exim (versions affected by CVE-2018-6789)

No auth needed

Prerequisites: Network access to vulnerable Exim server · Knowledge of target's memory layout (acl_pointer)

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1059 - Command and Scripting Interpreter

devstral-2 · analyzed Feb 16, 2026 Full analysis →

nomisec WORKING POC 3 stars

by beraphin · remote

https://github.com/beraphin/CVE-2018-6789

View Code ZIP pw:eip

This repository contains a proof-of-concept exploit for CVE-2018-6789, a base64 decoding off-by-one vulnerability in Exim 4.89. The exploit leverages heap manipulation techniques to achieve remote code execution by corrupting heap metadata and overlapping chunks.

Classification

Working Poc 95%

Attack Type

Rce

Complexity

Complex

Reliability

Reliable

Target: Exim 4.89

No auth needed

Prerequisites: Exim 4.89 installed and running · Network access to the target

MITRE ATT&CK

T1068 - Exploitation for Privilege Escalation T1203 - Exploitation for Client Execution

devstral-2 · analyzed Feb 16, 2026 Full analysis →

nomisec WORKING POC 2 stars

by thistehneisen · remote

https://github.com/thistehneisen/CVE-2018-6789-Python3

View Code ZIP pw:eip

This is a Python3-based exploit for CVE-2018-6789, targeting Exim versions prior to 4.90.1. It leverages a heap-based buffer overflow to achieve remote code execution via a reverse shell.

Classification

Working Poc 95%

Attack Type

Rce

Complexity

Complex

Reliability

Reliable

Target: Exim < 4.90.1

No auth needed

Prerequisites: Network access to Exim SMTP port (default 25) · Exim version < 4.90.1

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1059 - Command and Scripting Interpreter

devstral-2 · analyzed Feb 16, 2026 Full analysis →

nomisec WORKING POC

by c0llision · local

https://github.com/c0llision/exim-vuln-poc

View Code ZIP pw:eip

This PoC exploits a heap-based buffer overflow in Exim (CVE-2018-6789) by sending maliciously crafted SMTP commands to trigger a collision in the heap allocator, potentially leading to remote code execution. The exploit uses the `pwntools` library to interact with the SMTP service and manipulate memory.

Classification

Working Poc 90%

Attack Type

Rce

Complexity

Moderate

Reliability

Theoretical

Target: Exim (versions prior to fix for CVE-2018-6789)

No auth needed

Prerequisites: Network access to the SMTP service (port 25) · Vulnerable version of Exim

MITRE ATT&CK