How can organizations mitigate the risk associated with CVE-2026-45185?

Organizations should immediately update to Exim version 4.99.3, which addresses this vulnerability, to prevent potential exploitation.

Critical Exim Vulnerability CVE-2026-45185: Immediate Action Required

A newly discovered vulnerability in Exim allows remote code execution, posing significant risks to email servers worldwide.

Published: May 13, 2026

Share this on:

Executive Summary

In May 2026, a critical vulnerability identified as CVE-2026-45185 was discovered in Exim, a widely used open-source mail transfer agent. This use-after-free flaw in certain GnuTLS configurations allows unauthenticated remote attackers to execute arbitrary code by exploiting the BDAT body parsing path during TLS shutdown. The vulnerability affects Exim versions 4.97 through 4.99.2 when built with GnuTLS and with STARTTLS and CHUNKING enabled. Exploitation could lead to unauthorized access to email data and potential further compromise of affected systems. (thehackerwire.com)

The discovery of this vulnerability underscores the ongoing risks associated with widely deployed open-source software and the importance of timely patching. The incident also highlights the evolving landscape of cyber threats, where attackers increasingly target foundational internet services to gain broad access.

Why This Matters Now

This vulnerability poses an immediate risk to organizations using affected Exim versions, as it allows remote code execution without authentication. Prompt application of the provided patches is crucial to prevent potential exploitation and data breaches.

Attack Path Analysis

An unauthenticated remote attacker exploited a use-after-free vulnerability in Exim's GnuTLS implementation to execute arbitrary code on the server. Upon gaining initial access, the attacker escalated privileges to gain control over the Exim process. They then moved laterally within the network to access other systems. The attacker established a command and control channel to maintain persistent access. Sensitive data was exfiltrated from the compromised systems. Finally, the attacker disrupted services by modifying or deleting critical data.

Kill Chain Progression

Initial Compromise

High

Privilege Escalation

Mediuminferred

Lateral Movement

Mediuminferred

Command & Control

Mediuminferred

Exfiltration

Mediuminferred

Impact

Mediuminferred

Initial Compromise

Description

An unauthenticated remote attacker exploited a use-after-free vulnerability in Exim's GnuTLS implementation to execute arbitrary code on the server.

Confidence:

High

Related CVEs

Included CVEs with severity scores, affected products, exploit status, and reference links.

CVE-2026-45185
CVSS 9.8
A use-after-free vulnerability in Exim before 4.99.3, in certain GnuTLS configurations, allows unauthenticated remote attackers to execute arbitrary code via crafted BDAT commands.
Affected Products:
Exim Exim – 4.97, 4.98, 4.99.0, 4.99.1, 4.99.2
Exploit Status:
proof of concept
References:
https://nvd.nist.gov/vuln/detail/CVE-2026-45185 https://exim.org/static/doc/security/CVE-2026-45185.txt http://www.openwall.com/lists/oss-security/2026/05/12/4

MITRE ATT&CK® Techniques

Initial Access

T1190

Exploit Public-Facing Application

Execution

T1203

Exploitation for Client Execution

Impact

T1499

Endpoint Denial of Service

Persistence

T1078

Valid Accounts

Discovery

T1082

System Information Discovery

Discovery

T1046

Network Service Scanning

Lateral Movement

T1021

Remote Services

Defense Evasion

T1562

Impair Defenses

Potential Compliance Exposure

Mapping incident impact across multiple compliance frameworks.

PCI DSS 4.0 – Ensure all system components and software are protected from known vulnerabilities

Control ID: 6.2

The Exim vulnerability (CVE-2026-45185) indicates a failure to apply timely security patches, exposing systems to known threats.

NYDFS 23 NYCRR 500 – Cybersecurity Policy

Control ID: 500.03

The incident suggests inadequacies in the cybersecurity policy regarding vulnerability management and patching procedures.

DORA – ICT Risk Management Framework

Control ID: Article 5

The exploitation of the Exim vulnerability highlights deficiencies in the institution's ICT risk management framework, particularly in identifying and mitigating software vulnerabilities.

CISA ZTMM 2.0 – Asset Management

Control ID: 3.1

The presence of an unpatched Exim server indicates lapses in asset management practices, leading to unmanaged and vulnerable systems.

NIS2 Directive – Cybersecurity Risk Management Measures

Control ID: Article 21

The incident reflects a failure to implement appropriate cybersecurity risk management measures, as required by the NIS2 Directive, to prevent exploitation of known vulnerabilities.

Sector Implications

Industry-specific impact of the vulnerabilities, including operational, regulatory, and cloud security risks.

Information Technology/IT

Critical Exim vulnerability enables unauthenticated remote code execution on Linux mail servers, requiring immediate patching and zero trust segmentation implementation.

Financial Services

Email infrastructure compromise threatens sensitive financial communications, demanding encrypted traffic controls and egress security to prevent data exfiltration attacks.

Health Care / Life Sciences

Mail server vulnerabilities risk HIPAA compliance violations through potential PHI exposure, necessitating multicloud visibility and threat detection capabilities enhancement.

Government Administration

Government email systems face critical RCE exposure requiring immediate Exim updates, inline IPS deployment, and enhanced anomaly detection for secure operations.

Sources

New critical Exim mailer flaw allows remote code executionhttps://www.bleepingcomputer.com/news/security/new-critical-exim-mailer-flaw-allows-remote-code-execution/
Verified

Exim Security Advisory: CVE-2026-45185https://exim.org/static/doc/security/CVE-2026-45185.txt

Verified

NVD - CVE-2026-45185https://nvd.nist.gov/vuln/detail/CVE-2026-45185

Verified

Security Release 4.99.3http://www.openwall.com/lists/oss-security/2026/05/12/4

Verified

Frequently Asked Questions

Exim versions 4.97 through 4.99.2 built with GnuTLS and with STARTTLS and CHUNKING enabled are affected by this vulnerability.

Cloud Native Security Fabric Mitigations and ControlsCNSF

Aviatrix Zero Trust CNSF is pertinent to this incident as it could have limited the attacker's ability to move laterally and exfiltrate data by enforcing strict segmentation and controlled egress policies.

Initial Compromise

Control: Cloud Native Security Fabric (CNSF)

Mitigation: While Aviatrix Zero Trust CNSF may not prevent the initial exploitation, it could limit the attacker's ability to escalate privileges or move laterally within the network.

Privilege Escalation

Control: Zero Trust Segmentation

Mitigation: Aviatrix Zero Trust Segmentation could limit the attacker's ability to access sensitive resources even after gaining control over the Exim process.

Lateral Movement

Control: East-West Traffic Security

Mitigation: Aviatrix East-West Traffic Security could limit the attacker's ability to move laterally by enforcing strict segmentation and monitoring internal traffic.

Command & Control

Control: Multicloud Visibility & Control

Mitigation: Aviatrix Multicloud Visibility & Control could limit the attacker's ability to establish and maintain command and control channels by monitoring and controlling outbound communications.

Exfiltration

Control: Egress Security & Policy Enforcement

Mitigation: Aviatrix Egress Security & Policy Enforcement could limit the attacker's ability to exfiltrate sensitive data by controlling and monitoring outbound traffic.

Impact (Mitigations)

While Aviatrix Zero Trust CNSF may not prevent the initial compromise, it could limit the attacker's ability to disrupt services by restricting access to critical systems and data.

Impact at a Glance

Affected Business Functions

Email Communication
Customer Support
Internal Communications

Operational Disruption

Estimated downtime: 3 days

Financial Impact

Estimated loss: $50,000

Data Exposure

Potential exposure of sensitive email communications and user data.

Recommended Actions

• Implement Inline IPS (Suricata) to detect and prevent exploitation of known vulnerabilities.
• Deploy Zero Trust Segmentation to limit lateral movement within the network.
• Utilize East-West Traffic Security to monitor and control internal traffic flows.
• Establish Multicloud Visibility & Control to detect and respond to command and control activities.
• Enforce Egress Security & Policy Enforcement to prevent unauthorized data exfiltration.

Secure the Paths Between Cloud Workloads

A cloud-native security fabric that enforces Zero Trust across workload communication—reducing attack paths, compliance risk, and operational complexity.

Stop Advanced Threats Get a Free Workload Attack Path Assessment Under Active Attack?

Critical Exim Vulnerability CVE-2026-45185: Immediate Action Required

Executive Summary

Why This Matters Now

Attack Path Analysis

Kill Chain Progression

Initial Compromise

Description

Related CVEs

CVE-2026-45185

Affected Products:

Exploit Status:

References:

MITRE ATT&CK® Techniques

Exploit Public-Facing Application

Exploitation for Client Execution

Endpoint Denial of Service

Valid Accounts

System Information Discovery

Network Service Scanning

Remote Services

Impair Defenses

Potential Compliance Exposure

PCI DSS 4.0 – Ensure all system components and software are protected from known vulnerabilities

NYDFS 23 NYCRR 500 – Cybersecurity Policy

DORA – ICT Risk Management Framework

CISA ZTMM 2.0 – Asset Management

NIS2 Directive – Cybersecurity Risk Management Measures

Sector Implications

Information Technology/IT

Financial Services

Health Care / Life Sciences

Government Administration

Sources

Frequently Asked Questions

Cloud Native Security Fabric Mitigations and ControlsCNSF

Impact at a Glance

Affected Business Functions

Recommended Actions

Key Takeaways & Next Steps

Secure the Paths Between Cloud Workloads