July 12, 2024 at 04:55PM
Censys warns of over 1.5 million unpatched Exim mail transfer agent (MTA) instances vulnerable to CVE-2024-39929, allowing threat actors to bypass security measures and deliver malicious attachments. While mostly concentrated in the US, Russia, and Canada, these servers are at risk, with a PoC available but no active exploitation reported yet. Admins are advised to restrict remote access until servers can be updated.
Key takeaways from the meeting notes are:
1. Over 1.5 million Exim mail transfer agent (MTA) instances are unpatched against a critical vulnerability known as CVE-2024-39929, potentially allowing threat actors to deliver malicious executable attachments into end users’ mailboxes by circumventing security filters.
2. As of July 10, 2024, Censys observes 1,567,109 publicly exposed Exim servers running a potentially vulnerable version (4.97.1 or earlier), concentrated mostly in the United States, Russia, and Canada.
3. Administrators are advised to immediately upgrade Exim and restrict remote access to their servers from the Internet to block incoming exploitation attempts if immediate upgrading is not possible.
4. The National Security Agency (NSA) revealed that the Russian military hacking group Sandworm has been exploiting Exim flaws, depicting the seriousness of potential security threats.
5. Over 59% of the mail servers reachable on the Internet during a recent survey were running Exim, representing just over 241,000 Exim instances.
6. Exim servers reachable online are predominantly found in the United States, Russia, and the Netherlands, with millions of them exposed online, making MTA servers susceptible to targeted attacks.
7. Recent patches addressed zero-days, emphasizing the need for constant vigilance and prompt action to mitigate security risks.