Just one week after a previously patched vulnerability in Exim mail servers was disclosed by Qualys, attackers have begun searching out vulnerable Exim systems prompting the Cybersecurity and Infrastructure Security Agency (CISA) to encourage users to update their systems to the latest version.

CISA reported the vulnerability CVE-2019-10149 was detected
in exploits in the wild and highly recommends Exim users employ the update. The
vulnerability affects versions 4.87 to 4.91 allows a local, or in some cases, a
remote attacker to execv as root, with no memory corruption or return-oriented
programming involved. While the vulnerability can be exploited instantly a
rather odd set of circumstances must be created and sustained. All the affected
versions of Exim are vulnerable by default.

Version 4.92, issued on February 10, 2019, includes a patch
to fix the issue, with Tenable
estimating 4.1 million servers remain vulnerable.

Security researchers have observed active exploitation
in the wild, one of which includes an attack resulting in permanent root access
to vulnerable systems via SSH. It is critically important for those running
Exim to upgrade to version 4.92 or apply the backported fix to vulnerable
versions in order to prevent these newly discovered attacks from succeeding,”
said Satnam Narang, senior research engineer with Tenable.

One reason so many Exim users may have not updated was
awareness. The patch for CVE-2019-10149 was included in version 4.92, but was
not labeled as a security issue as Exim does
not issue separate security updates.