Cybersecurity Alert: Two Exim Mail Vulnerabilities Could Allow Unauthorized System and Data Access

Impact: All Firms With Unix or Linux Systems

FINRA firms should be aware of two vulnerabilities in Exim Mail that could allow threat actors to corrupt a firm’s system memory and take control of its mail server from outside the network.

FINRA recommends sharing this Cyber Alert with appropriate information technology and information security personnel—as well as any third-party vendors that may use Exim Mail—to identify whether your firm is impacted and take immediate steps to protect your environments.

BACKGROUND

Exim Mail is free, open-source email server software created for Unix/Linux systems that routes, delivers and receives email messages. On Nov. 22, 2025, the National Institute of Standards and Technology (NIST) disclosed that Exim Mail contains two critical vulnerabilities—SQL injection and buffer overflow—which, when combined can lead to unauthorized control of an organization’s mail server. Threat actors can exploit these vulnerabilities and embed a fraudulent record containing an enormously inflated “size” into Exim’s database. Exim will respond by writing more data than the system can handle, causing data to spill into other parts of the system’s memory, potentially allowing the attacker to crash the system and execute their own code remotely. (See the Technical Details below for more information.)

If your firm uses servers running Exim for email, this vulnerability could allow unauthorized access and complete control of systems and data.

RECOMMENDED ACTIONS

FINRA encourages member firms with Unix or Linux systems to check if they use Exim Mail software and then share the following information with their cybersecurity and technology management personnel so they can take immediate steps to protect their environments. Firms should consult Exim’s web page for specific instructions on updating vulnerable systems, and consider the following additional actions to mitigate the risk associated with this vulnerability:

• Patching/Upgrading: 1 The most direct mitigation is to apply the latest security patches and/or upgrade the vulnerable application to a non-vulnerable, supported version. Always first test patches in a non-production environment (see CVE-2025-26794 and CVE-2025-67896 for additional information).
• Vulnerability Management Program: 2 Establish and maintain a robust vulnerability management program that includes: (1) Continuous Scanning; (2) Asset Inventory; and (3) Risk Classification of technology assets.
• Network Segmentation & Access Control:3 Implement strict network segmentation and access controls to limit the blast radius in case of a compromise. Restrict access to vulnerable services to only necessary users and IP ranges.
• Web Application Firewall (WAF) / Intrusion Prevention System (IPS):4 Deploy and configure a WAF or IPS to virtually patch known vulnerabilities by blocking malicious traffic patterns. This provides an interim defense where immediate patching is not feasible.
• Secure Configuration:5 Review and harden the configuration of the vulnerable application, disabling unnecessary features and services, and implementing least privilege principles.
• Monitoring and Alerting:6 Implement security monitoring and alerting for attempts to exploit known vulnerabilities on your public-facing systems.

Technical Details

• CVE-2025-26794 (CVSS: 9.8, EPSS: 72%, In KEV: No)7 – An SQL Injection vulnerability in Exim. A security flaw in Exim's database cleaning function does not properly filter single quote characters. Threat actors can exploit this by sending an email (e.g., “spoofing” a legitimate email address to trick the recipient or an email containing malicious code) to inject harmful database commands. When the system tries to process this corrupted value, it writes far more data than the allocated space allows, overwriting up to 1.5MB of memory.
• CVE-2025-67896 (CVSS: 9.8, EPSS: 0.1% In KEV: No) – A critical heap-based buffer overflow vulnerability affecting Exim version 4.99 and before 4.99.1. Once threat actors have caused the database records to overflow, threat actors can crash the system and potentially execute their own code remotely, which can lead to unauthorized access to firm systems and data.

FINRA encourages member firms that identify data breaches or attempted data breaches to contact your Risk Monitoring Analyst and report them to: 

• FINRA using the Regulatory Tip Form  found on FINRA.org ;
• the SEC using the Tips, Complaints, and Referrals  form or by calling (202) 551-4790; and
• the FBI using its Internet Crime Complaint Center  or by calling 1-800-CALLFBI (1-800-225-5324). 

Additionally, both the FBI and the Cybersecurity & Infrastructure Security Agency (CISA) urge organizations to promptly report cyber incidents to a local FBI Field Office or the FBI Internet Crime Complaint Center (IC3) at IC3.gov , and to CISA via CISA’s 24/7 Operations Center ([email protected] or 888-282-0870). 

Questions related to this Alert or other cybersecurity-related topics can be emailed to the FINRA Cyber and Analytics Unit (CAU).

Note: This Alert does not create new legal or regulatory requirements or new interpretations of existing requirements, nor does it relieve firms of any existing obligations under federal securities laws, regulations, and FINRA rules. Member firms may consider the information in this Alert in developing new, or modifying existing, policies and procedures that are reasonably designed to achieve compliance with relevant regulatory obligations based on the member firm’s size and business model. Moreover, some information may not be relevant due to certain firms’ business models, sizes, or practices.

If you would like to add or change who receives this email, please update your firm’s Chief Information Security Officer (CISO), Chief Compliance Officer (CCO), Chief Risk Officer (CRO) and/or Regulatory Inquiries contact in FINRA Gateway.

¹ If immediate patching is not possible, limit internet exposure of endpoints, require authentication for sensitive endpoints, temporarily segment affected services, and apply rate limiting with anomaly detection around endpoints to reduce exposure to high-volume automated exploitation.

² This recommendation follows one category of the IDENTIFY (ID) core function of NIST's Cybersecurity Framework (CSF) 2.0: ID.RA-01: Vulnerabilities in assets are identified, validated, and recorded

³This recommendation follows one category of the PROTECT (PR) core function of NIST's Cybersecurity Framework (CSF) 2.0:  PR.AA-05: Access permissions, entitlements, and authorizations are defined in a policy, managed, enforced, and reviewed, and incorporate the principles of least privilege and separation of duties.

⁴ This recommendation follows one category of the PROTECT (PR) core function of NIST's Cybersecurity Framework (CSF) 2.0: PR.IR-01: Networks and environments are protected from unauthorized logical access and usage.

⁵ This recommendation follows one category of the PROTECT (PR) core function of NIST's Cybersecurity Framework (CSF) 2.0: PR.PS-01: Configuration management practices are established and applied.

⁶ This recommendation follows one category of the DETECT (DE) core function of NIST's Cybersecurity Framework (CSF) 2.0: DE.CM-09: Computing hardware and software, runtime environments, and their data are monitored to find potentially adverse events.

⁷ Commonly used cybersecurity definitions and resources: (1) Common Vulnerabilities and Exposures (CVE) – A NIST dictionary of publicly known cybersecurity vulnerabilities, each assigned a unique, standardized identifier (CVE ID) to facilitate sharing and communication about the specific security flaw; (2) Common Vulnerability Scoring System (CVSS) – Measures the relative severity of software flaw vulnerabilities ranging from 0 to 10, with 10 being the most severe; (3) Exploit Prediction Scoring System (EPSS) – Provides probabilities that a vulnerability will be observed to be exploited “in the wild” within the next 30 days (e.g., a score of 0.5 indicates a 50 percent chance that firms using the tool will be exploited through it in the next 30 days); and (4) Known Exploited Vulnerabilities (KEV) – CISA maintains the authoritative source of vulnerabilities that have been exploited in the wild (organizations often use the KEV catalog as an input to their vulnerability management prioritization framework).