CVE-2018-6789

CVE-2018-6789 is a critical-severity vulnerability in Exim with a CVSS 3.x base score of 9.8. It is listed in CISA's Known Exploited Vulnerabilities (KEV) catalog, confirming it has been exploited in the wild (added 2021-11-03). The underlying weakness is classified as CWE-120.

Key facts

Description

An issue was discovered in the base64d function in the SMTP listener in Exim before 4.90.1. By sending a handcrafted message, a buffer overflow may happen. This can be used to execute code remotely.

CVE-2018-6789: Exim base64d Off-by-One Buffer Overflow in SMTP Listener

AI-generated analysis based on the vulnerability data on this page.

Field Value
CVE ID CVE-2018-6789
CVSS v3 9.8 (Critical)
CVSS v2 7.5 (High)
EPSS 0.82238 (99.6th percentile)
KEV Yes (CISA, since 2021-11-03)
CWE CWE-120: Buffer Overflow
Published 2018-02-08
Modified 2026-06-17

Summary

A buffer overflow vulnerability exists in the base64d function of Exim's SMTP listener in versions prior to 4.90.1. An attacker can send a specially crafted SMTP message to trigger the overflow, potentially achieving remote code execution on the mail server without authentication.

Background

Exim is one of the most widely deployed Mail Transfer Agents (MTA) on Unix-like systems, including Debian and Ubuntu distributions. The base64d function is used to decode Base64-encoded data during SMTP transactions. In 2018, security researchers discovered that a malformed input to this function could trigger an off-by-one buffer overflow condition, leading to arbitrary code execution.

Root Cause

This vulnerability is classified as CWE-120: Buffer Overflow. The flaw resides in the base64d function in Exim's source code, which decodes Base64 strings during the SMTP communication process. Specifically, an off-by-one error occurs when processing malformed Base64 data, allowing data to be written past the bounds of a fixed-size buffer. This is a classic memory safety violation that corrupts adjacent memory regions, leading to exploitable conditions for remote code execution.

Impact

The CVSS v3 score of 9.8 (Critical) reflects the severity of this vulnerability. The scoring metrics are:

  • Attack Vector (AV): Network — exploitable remotely over the internet
  • Attack Complexity (AC): Low — no special conditions or bypasses required
  • Privileges Required (PR): None — unauthenticated attacker can exploit
  • User Interaction (UI): None — no user action required
  • Scope (S): Unchanged — impacts the vulnerable component only
  • Confidentiality (C): High — total information disclosure
  • Integrity (I): High — complete compromise of data integrity
  • Availability (A): High — complete system downtime possible

An attacker exploiting this flaw can gain full control over the Exim mail server, potentially pivoting to the underlying host system, accessing sensitive mail data, and using the compromised server as a launch point for further attacks.

Exploitation Walkthrough

Note: This section is provided for defensive awareness only. The details are generic and do not constitute working exploit code. Security professionals should use this information to design detection and mitigation strategies.

The vulnerability is triggered during the SMTP Base64 decoding process. An attacker connects to the target Exim SMTP listener (typically port 25) and sends a message containing a crafted Base64 string. The malformed input causes an off-by-one overflow in the decoding buffer. This has been demonstrated in publicly available proof-of-concept research, though weaponized exploit code is not reproduced here.

Ethics caveat: Do not attempt to exploit this vulnerability on systems you do not own or have explicit written authorization to test. Unauthorized access to computer systems is illegal under laws such as the Computer Fraud and Abuse Act (CFAA) and similar international statutes.

Affected and Patched Versions

Affected:

  • Exim versions prior to 4.90.1
  • Debian Linux 7.0, 8.0, 9.0
  • Ubuntu Linux 14.04 ESM, 16.04 ESM, 17.10
  • SUSE/openSUSE distributions with vulnerable Exim packages

Patched:

  • Exim 4.90.1 and later
  • Patched packages available from Debian (DSA-4110), Ubuntu (USN-3565-1), and other distribution maintainers

Remediation

  1. Primary remediation: Upgrade Exim to version 4.90.1 or later immediately. This is the only definitive fix.
  2. Compensating controls: If immediate patching is not feasible, restrict SMTP access to trusted hosts using network-level firewalls or TCP wrappers. Monitor for anomalous Base64 payloads in SMTP transactions.
  3. Vendor patches: Apply distribution-specific security updates (Debian DSA-4110, Ubuntu USN-3565-1, SUSE/openSUSE advisories).
  4. Post-incident: If exploitation is suspected, capture memory dumps and network logs for forensic analysis, and rebuild the server from a known-good baseline if compromise is confirmed.

Detection

Defenders should monitor for:

  • Unusual connection patterns to SMTP listeners on Exim servers
  • Abnormally large or malformed Base64 strings in SMTP AUTH or DATA payloads
  • Memory corruption indicators (segmentation faults, unusual process restarts) in Exim logs
  • Suricata/Snort rules or network signatures targeting Exim buffer overflow attempts
  • Unexpected outbound connections from the mail server suggesting post-exploitation activity

Assessment

With an EPSS score of 0.82238 (99.6th percentile) and inclusion in the CISA Known Exploited Vulnerabilities (KEV) catalog since November 2021, this vulnerability carries a high probability of active exploitation in the wild. The EUVD also tracks this vulnerability as exploited. Its presence in exploit databases further confirms that weaponized exploit code is publicly available.

Key lessons:

  1. Memory-unsafe functions handling external input remain a critical attack surface, even in mature, widely audited open-source software like Exim.
  2. Rapid patching of MTAs is essential because they are internet-facing, unauthenticated services that are continuously scanned and targeted by automated exploitation frameworks.

References

Frequently asked questions

What is CVE-2018-6789?
An issue was discovered in the base64d function in the SMTP listener in Exim before 4.90.1. By sending a handcrafted message, a buffer overflow may happen. This can be used to execute code remotely.
How severe is CVE-2018-6789?
CVE-2018-6789 has a CVSS 3.x base score of 9.8, rated critical severity. It is exploitable over network with low attack complexity, requires no privileges and no user interaction. Impact on confidentiality is high, integrity high, and availability high.
Is CVE-2018-6789 being actively exploited?
Yes. CVE-2018-6789 is on CISA's Known Exploited Vulnerabilities (KEV) catalog, added on 2021-11-03, which means active exploitation has been confirmed. It should be prioritised for remediation.
What products are affected by CVE-2018-6789?
CVE-2018-6789 primarily affects Exim. In total, 7 product configurations (CPEs) are listed as vulnerable; see the affected-products list for the exact versions.
How do I fix CVE-2018-6789?
Review the linked vendor and NVD advisories for patched versions and mitigations, then upgrade or apply the recommended workaround. Because this CVE is known to be actively exploited, treat remediation as urgent — CISA KEV typically sets a short remediation deadline.
Does CVE-2018-6789 have an EU (EUVD) identifier?
Yes. CVE-2018-6789 is tracked in the ENISA EU Vulnerability Database (EUVD) as EUVD-2018-18536. It is also flagged as exploited in the EUVD (since 2021-11-03).
When was CVE-2018-6789 published?
CVE-2018-6789 was published on 2018-02-08 and last updated on 2026-06-17.

References

Affected products (7)

More vulnerabilities in Exim

All CVEs affecting Exim →

Other CWE-120 (Classic Buffer Overflow) vulnerabilities

Browse all CWE-120 (Classic Buffer Overflow) vulnerabilities →