Threat Hunt Deep Dives: The Return of the WIZard

Austin Jackson|November 20, 2020

Last year, during a routine code review, Qualys discovered a Remote Command Execution (RCE) vulnerability in the Exim Mail Transfer Agent (MTA) mail server. The vulnerability has been dubbed “The Return of the WIZard” and is listed under CVE-2019-10149. The RCE vulnerability exists in Exim mail server versions 4.87 to 4.91 (inclusive). When exploited the vulnerability allows an attacker to execute arbitrary commands with root privileges.

The Exim mail server is ubiquitous on the internet. More than 50% of public-facing mail servers run Exim MTA and over 500,000 Exim mail servers exist on the internet. The severity of the vulnerability, coupled with its large presence on the internet makes the potential impact of this exploit quite extreme. While this exploit was patched over a year ago, many public-facing Exim mail servers are still vulnerable. The vulnerability has been utilized as recent as October 2020 by the Russian state-sponsored threat actor known as Berserk Bear.

Check out Cyborg Security’s Threat Hunt Deep Dives Ep. 1: Return of the WIZard – Exim MTA RCE (CVE-2019-10149) to learn more about this vulnerability.


Austin Jackson

Software Engineer & Security Researcher
Follow Cyborg
  • Twitter
  • linked in


White Paper

June 3, 2021

Threat Hunt Deep Dives: User Account Control Bypass Via Registry Modification
Read more
White Paper

May 6, 2021

Ransomware: Hunting for Inhibiting System Backup or Recovery
Read more
White Paper

March 23, 2021

Living off the Land (LotL) – RDP Hijacking
Read more


Continue the Hunt
No thanks, maybe later.