Threat Hunt Deep Dives: The Return of the WIZard

Austin Jackson|November 20, 2020
Blog
Photo credit:

Last year, during a routine code review, Qualys discovered a Remote Command Execution (RCE) vulnerability in the Exim Mail Transfer Agent (MTA) mail server. The vulnerability has been dubbed “The Return of the WIZard” and is listed under CVE-2019-10149. The RCE vulnerability exists in Exim mail server versions 4.87 to 4.91 (inclusive). When exploited the vulnerability allows an attacker to execute arbitrary commands with root privileges.

The Exim mail server is ubiquitous on the internet. More than 50% of public-facing mail servers run Exim MTA and over 500,000 Exim mail servers exist on the internet. The severity of the vulnerability, coupled with its large presence on the internet makes the potential impact of this exploit quite extreme. While this exploit was patched over a year ago, many public-facing Exim mail servers are still vulnerable. The vulnerability has been utilized as recent as October 2020 by the Russian state-sponsored threat actor known as Berserk Bear.

Check out Cyborg Security’s Threat Hunt Deep Dives Ep. 1: Return of the WIZard – Exim MTA RCE (CVE-2019-10149) to learn more about this vulnerability.

Blog

Austin Jackson

Software Engineer & Security Researcher
Follow Cyborg
  • Twitter
  • linked in

DISCOVER EVEN MORE

White Paper

November 20, 2020

Threat Hunt Deep Dives: The Return of the WIZard
Read more
White Paper

October 28, 2020

Cyborg Security 2020 CTF Solutions
Read more
White Paper

September 25, 2020

An Overview of the Actors Behind the Largest MageCart Attack (So Far!)
Read more

SUBSCRIBE TO OUR NEWSLETTER

Continue the Hunt
No thanks, maybe later.