Exim Mail Transfer Agent Vulnerable to Remote SQL Injection (CVE-2025-26794), PoC Published
do son 
A new vulnerability has been discovered in Exim, a widely used mail transfer agent (MTA) for Unix-like systems. The vulnerability, tracked as CVE-2025-26794 and assigned a CVSS score of 7.5, could allow remote attackers to perform SQL injection attacks.
The vulnerability exists in Exim version 4.98 when specific configurations are used. These configurations involve the use of SQLite hints and ETRN serialization. An attacker could exploit this vulnerability by sending specially crafted ETRN requests to the vulnerable Exim server, potentially gaining unauthorized access to sensitive information or disrupting the server’s operations.
A system is vulnerable if all of the following conditions are met:
- Running Exim 4.98.
- Built with the USE_SQLITE option enabled (check using exim -bV). A vulnerable configuration will display:Hints DB:
Using sqlite3 - The runtime configuration enables ETRN (acl_smtp_etrn returns accept instead of the default deny).
- The setting smtp_etrn_serialize is enabled (default is true).
Successful exploitation of this vulnerability could allow attackers to:
- Access sensitive information stored in the Exim database.
- Modify or delete data in the database.
- Disrupt the normal functioning of the mail server.
Security researcher Oscar Bataille who found this flaw, also published the technical details.
The Exim project has released version 4.98.1 to address the CVE-2025-26794 vulnerability. Users of Exim are strongly advised to upgrade to the latest version as soon as possible.
Related Posts:
- Critical Exim Bug Exposes Email Servers to Remote Attacks
- Buffer overflow flaw in the SMTP listener of Exim, 400k servers may be exploited
- Exim heap-based buffer overflow vulnerability
- Exim Vulnerability CVE-2023-42118 Affects Sophos Firewall and SG UTM Customers
