Threat Hunt Deep Dives: The Return of the WIZard

Austin Jackson|November 20, 2020

Last year, during a routine code review, Qualys discovered a Remote Command Execution (RCE) vulnerability in the Exim Mail Transfer Agent (MTA) mail server. The vulnerability has been dubbed “The Return of the WIZard” and is listed under CVE-2019-10149. The RCE vulnerability exists in Exim mail server versions 4.87 to 4.91 (inclusive). When exploited the vulnerability allows an attacker to execute arbitrary commands with root privileges.

The Exim mail server is ubiquitous on the internet. More than 50% of public-facing mail servers run Exim MTA and over 500,000 Exim mail servers exist on the internet. The severity of the vulnerability, coupled with its large presence on the internet makes the potential impact of this exploit quite extreme. While this exploit was patched over a year ago, many public-facing Exim mail servers are still vulnerable. The vulnerability has been utilized as recent as October 2020 by the Russian state-sponsored threat actor known as Berserk Bear.

Check out Cyborg Security’s Threat Hunt Deep Dives Ep. 1: Return of the WIZard – Exim MTA RCE (CVE-2019-10149) to learn more about this vulnerability.


Austin Jackson

Software Engineer & Security Researcher
Follow Cyborg
  • Twitter
  • linked in


White Paper

January 21, 2021

Threat Hunt Deep Dives: Apache Struts RCE (CVE-2020-17530)
Read more
White Paper

January 7, 2021

Hunting for Persistence: Registry Run Keys / Startup Folder
Read more
White Paper

December 15, 2020

Threat Hunt Deep Dives: SolarWinds’ Supply-Chain Compromise (Solorigate / SUNBURST Backdoor)
Read more


Continue the Hunt
No thanks, maybe later.