Threat Advisories:
Inside Storm-2949’s Cloud Takeover Campaign Targeting Microsoft 365 and Azure Dead.Letter Walking: Unauthenticated RCE Stalks Exim Mail Servers One Million WordPress Sites at Risk: Avada Builder Flaws Expose Sensitive Data Three Strikes in Two Weeks: Fragnesia Joins the Dirty Frag Family Critical NGINX Vulnerabilities Including 18-Year-Old RCE Flaw Actively Exploited Active Exploitation of CVE-2026-42897 Targets Microsoft Exchange Servers FamousSparrow’s Persistent Hold on Azerbaijani Oil & Gas Cisco SD-WAN Authentication Bypass Exploited in Zero-Day Attacks Mini Shai-Hulud npm Supply Chain Worm: TanStack and Multi-Ecosystem Compromise Malicious Ruby Gems Fuel GemStuffer Data Theft Campaign Microsoft’s May 2026 Patch Tuesday PCPJack Hijacks Vulnerable Servers With Worm-Like Cloud Propagation Tactics QLNX Unmasked: Advanced Linux Malware Targets Developers and Cloud Infrastructure Dirty Frag A 2017 Optimization That Aged Into a Root Exploit TCLBanker: Trojanized Logitech Installer Fuels Banking Malware Campaign Ivanti EPMM Flaws Threaten Enterprise Device Management Systems Is Your Spring Config Server an Open Door? CVE-2026-40982 Says Yes PAN-OS Buffer Overflow Flaw Under Active State-Sponsored Exploitation Unauthenticated RCE in Weaver E-cology Actively Exploited Tax Trap to Full Takeover: Inside the Silver Fox Multi-Stage Intrusion Chain
New Report Critical Threat Research : The Iranian Cyber War Intensifies! Download the Report
Platform
Comprehensive Threat Exposure Management Platform
Uni5 Xposure PlatformUni5 Xposure leverages exposure assessment and adversarial exposure validation to deliver a unified view of your cyber risks and all actionable pathways to resolve them. Powered by:
IntegrationsOut of box integrations available with a comprehensive set of Security and IT operations tools in your organisation.
HiveForce LabsThe in-house intelligence that enables customers to identify and address immediate cyber risks and potential threats with precision, clear insights, and swift action.
Hive Pro’s ComparisonSave Cost , Reduce Complexity and Increase Security by Augmenting and Replacing your existing Vulnerability Management platform
Hive Pro vs Rapid7
Hive Pro vs Tenable
Hive Pro vs Qualys
Hive Pro vs Nucleus Security
Solutions
By Use Case
Total Attack Surface Management
Multi-Environment Security Scanners
Complete Exposure Assessment
Comprehensive Security Intelligence
Vulnerability & Threat Prioritization
Adversarial Exposure Validation
By Role
CISO
Vulnerability Management
Security Operations
DevOps
Industry
Telecommunications
Healthcare
Financial Services
Government & Public Sector
Retail & E-Commerce
Educational Institutions
Resources
Learning Center
Podcasts
Threat Advisories
Threat Digests
Blog
Whitepapers
Resources
Advisories & Digests
Threat Advisories
Threat Digests
Content Library
learn
Blog
Whitepapers
Press Releases
connect
Webinars & Videos
Company
About Us
Careers
Our Leadership
Contact Us
Book a DemoFree Iranian Exposure Assessment
Platform
Platform
Comprehensive Threat Exposure Management Platform
Uni5 Xposure PlatformUni5 Xposure leverages exposure assessment and adversarial exposure validation to deliver a unified view of your cyber risks and all actionable pathways to resolve them. Powered by:
IntegrationsOut of box integrations available with a comprehensive set of Security and IT operations tools in your organisation.
HiveForce LabsThe in-house intelligence that enables customers to identify and address immediate cyber risks and potential threats with precision, clear insights, and swift action.
Hive Pro’s Comparison
Hive Pro vs Rapid7
Hive Pro vs Tenable
Hive Pro vs Qualys
Hive Pro vs Nucleus Security
Solutions
Solutions
By Use Case
Total Attack Surface Management
Multi-Environment Security Scanners
Complete Exposure Assessment
Comprehensive Security Intelligence
Vulnerability & Threat Prioritization
Adversarial Exposure Validation
By Role
CISO
Vulnerability Management
Security Operations
DevOps
Industry
Industry
Telecommunications
Healthcare
Financial Services
Government & Public Sector
Retail & E-Commerce
Educational Institutions
Resources
Resources
Learning Center
Podcasts
Threat Advisories
Threat Digests
Blog
Whitepapers
Resources
Resources
Advisories & Digests
Threat Advisories
Threat Digests
Content Library
learn
Blog
Whitepapers
Press Releases
connect
Webinars & Videos
Company
Company
About Us
Careers
Our Leadership
Contact Us
Book a DemoFree Iranian Exposure Assessment

Dead.Letter Walking: Unauthenticated RCE Stalks Exim Mail Servers

Red | Vulnerability Report
Download PDF
Summary

CVE-2026-45185, known as Dead.Letter, is a critical unauthenticated remote code execution flaw in the Exim mail server, carrying a CVSS score of 9.8. This Exim vulnerability was first seen on May 1, 2026, and affects the Exim Internet Mailer. The Dead.Letter vulnerability is a use-after-free bug in the BDAT message body parser that is triggered only on builds compiled with GnuTLS, which makes Debian, Ubuntu, and Debian-derived Linux distributions the primary exposure surface for this critical Exim security flaw.

An attacker needs only network access to a public-facing SMTP server on port 25, 465, or 587 to exploit the Dead.Letter vulnerability, with no credentials, user interaction, or special server configuration required. A successful exploit of this Exim remote code execution flaw runs arbitrary code as the Exim service account, enabling mail theft, configuration tampering, and lateral movement within compromised networks. The Dead.Letter vulnerability was disclosed on May 12, 2026 and is fixed in Exim 4.99.3 and matching Debian and Ubuntu packages, but public proof-of-concept code is already circulating for this Exim vulnerability, so urgent patching is strongly advised.

Vulnerability Details

CVE-2026-45185, nicknamed Dead.Letter, is a critical use-after-free flaw classified as CWE-416 in the Exim mail server. The Exim vulnerability lives where Exim’s GnuTLS-based TLS code meets its BDAT message body parser. When a client sends a BDAT chunk inside a TLS session and the TLS layer shuts down mid-transfer, the Exim mail server frees an internal buffer called ssl_xfer_buffer but forgets to clear the pointer and forgets to reset its lower-layer receive functions. A moment later, the parser writes a single byte (a newline character) into that already-freed memory. That one stray byte corrupts heap metadata, and attackers can shape that corruption into full remote code execution through this Exim vulnerability.

The Dead.Letter flaw affects Exim versions 4.97 through 4.99.2, but only when the Exim software was built with GnuTLS (USE_GNUTLS=yes). Builds linked against OpenSSL are completely safe from this Exim vulnerability. This means the real-world exposure sits almost entirely on Debian, Ubuntu (including 24.04 LTS), and Debian-based Linux distributions, which ship GnuTLS-linked Exim by default. Red Hat and SUSE systems, which usually use OpenSSL builds, are not affected by this specific Dead.Letter vulnerability path.

Attackers exploiting the Dead.Letter vulnerability do not need a username, password, or any prior access to the Exim mail server. They simply need to open a TLS connection to a public-facing SMTP server on port 25, 465, or 587 and use the standard CHUNKING (BDAT) extension. Both STARTTLS and CHUNKING are advertised by default on most Exim servers, so no special server configuration is required to exploit this Exim vulnerability. The Dead.Letter vulnerability carries a CVSS v3.1 score of 9.8 (Critical).

A successful attack exploiting the Dead.Letter vulnerability lets an unauthenticated remote attacker run arbitrary code as the Exim service account, which on most systems has enough privilege to bind to mail ports and read the mail spool, opening the door to mail theft, ACL tampering, and pivoting deeper into the network. The Exim vulnerability was discovered by XBOW Security Lab and reported to Exim on May 1, 2026. The Dead.Letter vulnerability was publicly disclosed on May 12, 2026, and is fixed in Exim 4.99.3, with matching patches available from Debian and Ubuntu. Public proof-of-concept code and detection scripts are already circulating for this Exim vulnerability, so patching urgently is strongly recommended.

The CVE-2026-45185 vulnerability affects Exim Internet Mailer versions 4.97 through 4.99.2 (GnuTLS builds only). The affected CPE is cpe:2.3:a:exim:exim::::::::. The Dead.Letter vulnerability is classified under CWE-416 (Use After Free). This Exim vulnerability has been patched but is not currently listed in the CISA KEV catalog and is not a zero-day vulnerability.

Recommendations

Update Exim to version 4.99.3 or later immediately, which is the official fix released on May 12, 2026 for the Dead.Letter vulnerability. For Debian and Ubuntu systems, install the coordinated security packages through apt-get update and apt-get install –only-upgrade exim4 and restart the Exim service. After patching the Exim vulnerability, verify the running binary matches the fixed version using exim -bV rather than relying on the package version string alone. This is the most critical step to protect Exim mail servers from the Dead.Letter remote code execution flaw.

If you cannot upgrade Exim immediately to patch the Dead.Letter vulnerability, add chunking_advertise_hosts equals (with an empty value) to the main section of your Exim configuration and restart the service. This stops Exim from advertising the CHUNKING extension and blocks the BDAT attack path that triggers the Dead.Letter vulnerability. Note that this is a stopgap workaround, not a permanent fix for the Exim vulnerability, and may affect mail delivery from senders that rely on BDAT for large messages.

Limit access to TCP ports 25, 465, and 587 at the firewall level to only the known relay peers, partners, and authenticated submission clients that genuinely need to reach the Exim mail server. Internet-wide exposure of SMTP ports should be avoided wherever the business function does not require it, reducing the attack surface for the Dead.Letter vulnerability and future SMTP-layer vulnerabilities in Exim.

Identify every internet-facing Exim mail server in your estate, including legacy relays, acquired systems, and hosting-provider defaults that may have been forgotten. For each Exim server, confirm the version and TLS backend (GnuTLS versus OpenSSL) using exim -bV or the publicly available Dead.Letter detection scripts, since only GnuTLS builds are exposed to this Exim vulnerability and shadow mail infrastructure is the most common source of unpatched, vulnerable Exim systems.

Maintain an up-to-date inventory of Exim mail software versions and patch levels, subscribe to upstream Exim, Debian, and Ubuntu security advisories, and integrate vulnerability detection into routine configuration management. In parallel, harden the Exim systemd service with directives such as NoNewPrivileges equals yes, MemoryDenyWriteExecute equals yes, ProtectSystem equals strict, and PrivateTmp equals yes, and confirm full ASLR is enabled to limit the impact of any future memory corruption flaw like Dead.Letter in the same Exim component.

MITRE ATT&CK TTPs

The Dead.Letter Exim vulnerability can be exploited using several MITRE ATT&CK tactics and techniques. Under Reconnaissance, adversaries employ Active Scanning (T1595), specifically Vulnerability Scanning (T1595.002), to identify vulnerable Exim mail servers exposed to the internet. For Initial Access, attackers leverage Exploit Public-Facing Application (T1190) to target the publicly accessible Dead.Letter vulnerability in Exim mail servers.

The Execution tactic involves Command and Scripting Interpreter (T1059), specifically Unix Shell (T1059.004), where attackers execute arbitrary code on the compromised Exim server. Additionally, Exploitation for Client Execution (T1203) is used during the Dead.Letter vulnerability exploitation process. Under Defense Evasion, adversaries may use Deobfuscate/Decode Files or Information (T1140) to hide malicious payloads delivered through the Exim vulnerability.

For Discovery, attackers conduct System Information Discovery (T1082) to gather information about the compromised Exim mail server environment. The Collection tactic involves Email Collection (T1114), specifically Remote Email Collection (T1114.002), where attackers steal emails from the compromised Exim server exploited through the Dead.Letter vulnerability. Exfiltration occurs through Exfiltration Over C2 Channel (T1041) to remove stolen data from the compromised environment.

The Dead.Letter Exim vulnerability enables Privilege Escalation through Exploitation for Privilege Escalation (T1068) to gain elevated access. Under Resource Development, adversaries employ Obtain Capabilities (T1588), including Vulnerabilities (T1588.006) and Exploits (T1588.005), by acquiring or developing exploits for the Dead.Letter Exim vulnerability. For Command and Control, attackers use Application Layer Protocol (T1071), specifically Mail Protocols (T1071.003), to maintain persistent access through the compromised Exim server. Finally, the Impact tactic includes Endpoint Denial of Service (T1499) that can result from exploitation of the Dead.Letter vulnerability.

References

https://xbow.com/blog/dead-letter-cve-2026-45185-xbow-found-rce-exim

https://www.cycognito.com/blog/emerging-threat-cve-2026-45185-exim-remote-code-execution-via-bdat-over-gnutls/

https://exim.org/static/doc/security/EXIM-Security-2026-05-01.1/

https://www.openwall.com/lists/oss-security/2026/05/12/25

https://github.com/liamromanis101/Dead.Letter-CVE-2026-45185

https://github.com/materaj2/cve-2026-45185-detection-script

What’s new on HivePro

Get through updates and upcoming events, and more directly in your inbox