CVE-2020-28018

CRITICAL

Exim 4.90-4.94.1 - Use-After-Free in SMTP Reset

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 3 public exploits for CVE-2020-28018. PoCs published by lockedbyte, dorkerdevil, zr0tt.

AI-analyzed exploit summary This repository contains a functional exploit for CVE-2020-28018, a use-after-free vulnerability in Exim's `tls-openssl.c` leading to remote code execution. The exploit includes a checker script to verify target vulnerability and detailed setup instructions for environment configuration.

Description

Exim 4 before 4.94.2 allows Use After Free in smtp_reset in certain situations that may be common for builds with OpenSSL.

Exploits (3)

github WORKING POC 690 stars
by lockedbyte · cpoc
https://github.com/lockedbyte/CVE-Exploits/tree/master/CVE-2020-28018

This repository contains a functional exploit for CVE-2020-28018, a use-after-free vulnerability in Exim's `tls-openssl.c` leading to remote code execution. The exploit includes a checker script to verify target vulnerability and detailed setup instructions for environment configuration.

Classification
Working Poc 90%
Attack Type
Rce
Complexity
Complex
Reliability
Reliable
Target: Exim versions 4.90 to 4.94.2
No auth needed
Prerequisites: TLS enabled · OpenSSL used · X_PIPE_CONNECT disabled · PIPELINING enabled
devstral-2 · analyzed Feb 27, 2026 Full analysis →
nomisec SCANNER 7 stars
by dorkerdevil · poc
https://github.com/dorkerdevil/CVE-2020-28018

This repository contains a checker script for CVE-2020-28018, a Use-After-Free vulnerability in Exim's tls-openssl.c. The script verifies if the target Exim version is vulnerable and checks for necessary conditions like PIPELINING and STARTTLS being enabled.

Classification
Scanner 90%
Attack Type
Info Leak
Complexity
Moderate
Reliability
Reliable
Target: Exim versions 4.90 to 4.94.2
No auth needed
Prerequisites: TLS enabled · OpenSSL used · PIPELINING enabled · STARTTLS enabled · X_PIPE_CONNECT disabled
devstral-2 · analyzed Feb 16, 2026 Full analysis →
nomisec WRITEUP 2 stars
by zr0tt · poc
https://github.com/zr0tt/CVE-2020-28018

This repository provides a detailed technical analysis of CVE-2020-28018, a use-after-free vulnerability in Exim4's TLS implementation. It includes a breakdown of the vulnerability in the `tls_write` function and the conditions required for exploitation, but lacks a functional exploit or PoC code.

Classification
Writeup 90%
Attack Type
Rce
Complexity
Complex
Reliability
Theoretical
Target: Exim4 (versions up to 4.93)
No auth needed
Prerequisites: STARTTLS enabled · PIPELINING enabled · X_PIPE_CONNECT disabled · Exim4 compiled with OpenSSL
devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (8)

Core 8
Core References
Mailing List, Third Party Advisory mailing-list x_refsource_mlist
http://www.openwall.com/lists/oss-security/2021/05/11/5
Mailing List, Third Party Advisory mailing-list x_refsource_mlist
http://www.openwall.com/lists/oss-security/2021/05/11/6
Mailing List, Third Party Advisory mailing-list x_refsource_mlist
http://www.openwall.com/lists/oss-security/2021/05/11/17
Mailing List, Third Party Advisory mailing-list x_refsource_mlist
http://www.openwall.com/lists/oss-security/2021/05/11/15
Mailing List, Third Party Advisory mailing-list x_refsource_mlist
http://www.openwall.com/lists/oss-security/2021/05/11/14
Mailing List, Third Party Advisory mailing-list x_refsource_mlist
http://www.openwall.com/lists/oss-security/2021/05/12/2
Mailing List, Third Party Advisory mailing-list x_refsource_mlist
http://www.openwall.com/lists/oss-security/2021/05/12/3

Scores

CVSS v3 9.8
EPSS 0.6591
EPSS Percentile 98.5%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Details

CWE
CWE-416
Status published
Products (1)
exim/exim 4.90 - 4.94.2
Published May 06, 2021
Tracked Since Feb 18, 2026