A critical security vulnerability has been revealed in the Exim mail transfer agent, potentially enabling cybercriminals to send harmful attachments straight to unsuspecting users' inboxes.

The flaw, identified as CVE-2024-39929, has a severity rating of 9.1 out of 10.0 on the Common Vulnerability Scoring System (CVSS). This issue has been addressed in Exim version 4.98.

According to the U.S. National Vulnerability Database (NVD), "Exim versions up to 4.97.1 incorrectly parse a multiline RFC 2231 header filename, thereby allowing remote attackers to bypass a $mime_filename extension-blocking protection mechanism, and potentially deliver executable attachments to the mailboxes of end users."

Exim, a free mail transfer agent used in hosts running Unix or Unix-like operating systems, was first introduced in 1995 at the University of Cambridge. Attack surface management firm Censys reports that out of 6,540,044 public-facing SMTP mail servers, 4,830,719 are running Exim. As of July 12, 2024, 1,563,085 internet-accessible Exim servers are running a potentially vulnerable version (4.97.1 or earlier).

The majority of these vulnerable instances are found in the U.S., Russia, and Canada.

The vulnerability could enable a remote attacker to bypass filename extension blocking protection measures, thereby delivering executable attachments directly to end-users' mailboxes. If a user were to download or run one of these malicious files, their system could be compromised.

However, for an attack to be successful, targets must click on an attached executable. While there are currently no reports of active exploitation of this flaw, it is crucial that users promptly apply the patches to mitigate potential threats.

This development comes nearly a year after the project maintainers addressed a set of six vulnerabilities in Exim that could lead to information disclosure and remote code execution.