An attacker who exploits this vulnerability gains full control of the affected mail server without needing a password or prior access — the equivalent of handing over the keys to your email infrastructure. Compromised mail servers can be used to intercept or modify business communications, launch internal phishing campaigns with high credibility, exfiltrate sensitive email archives, or serve as a pivot point deeper into the corporate network. For organizations in regulated industries where email carries protected data (health records, legal communications, financial transactions), a breach via this vector may trigger mandatory notification obligations and regulatory scrutiny.
You Are Affected If
You run Exim 4.97 through 4.99.2 on any server — check with: exim --version
Your Exim build uses GnuTLS (default on Debian and Ubuntu packages) rather than OpenSSL — confirm with: exim --version | grep GnuTLS
Your Exim configuration advertises both STARTTLS and CHUNKING to connecting clients — the Debian/Ubuntu default configuration enables both
Your mail server accepts inbound SMTP connections from the public internet or untrusted networks
You have not yet applied the Exim 4.99.3 patch released 2026-05-13
Board Talking Points
A critical flaw in the email server software used by default on Debian and Ubuntu Linux systems allows attackers to take full control of those servers without any login credentials — a public attack tool is already available.
IT and security teams should patch all affected mail servers to Exim 4.99.3 immediately; if patching cannot be completed within 24 hours, a configuration-level workaround should be applied now to reduce exposure.
Organizations that do not act quickly risk complete compromise of their email infrastructure, including potential interception of business communications and use of their mail systems as a launch point for broader network attacks.
HIPAA — Exim mail servers handling Protected Health Information (PHI) transmissions are covered infrastructure; RCE-level compromise triggers breach assessment obligations under 45 CFR 164.402
GDPR — Mail servers processing personal data of EU residents are in scope; unauthorized access constitutes a personal data breach requiring 72-hour supervisory authority notification under Article 33
PCI-DSS — If the affected Exim instance is in or adjacent to the cardholder data environment and handles payment-related communications, compromise requires incident response per PCI-DSS Requirement 12.10
