Just one week after a previously patched vulnerability in Exim mail servers was disclosed by Qualys, attackers have begun searching out vulnerable Exim systems prompting the Cybersecurity and Infrastructure Security Agency (CISA) to encourage users to update their systems to the latest version.

CISA reported the vulnerability CVE-2019-10149 was detected in exploits in the wild and highly recommends Exim users employ the update. The vulnerability affects versions 4.87 to 4.91 allows a local, or in some cases, a remote attacker to execv as root, with no memory corruption or return-oriented programming involved. While the vulnerability can be exploited instantly a rather odd set of circumstances must be created and sustained. All the affected versions of Exim are vulnerable by default.

Version 4.92, issued on February 10, 2019, includes a patch to fix the issue, with Tenable estimating 4.1 million servers remain vulnerable.

“Security researchers have observed active exploitation in the wild, one of which includes an attack resulting in permanent root access to vulnerable systems via SSH. It is critically important for those running Exim to upgrade to version 4.92 or apply the backported fix to vulnerable versions in order to prevent these newly discovered attacks from succeeding,” said Satnam Narang, senior research engineer with Tenable.

One reason so many Exim users may have not updated was awareness. The patch for CVE-2019-10149 was included in version 4.92, but was not labeled as a security issue as Exim does not issue separate security updates.