Exim ‘close_notify mid-body’ bug risks remote code execution in mail servers — urgent mail server cyber attack alert
What happened
While handling BDAT chunking, Exim before 4.99.3 contains a GnuTLS use-after-free that is triggered when a TLS close_notify is sent mid-body during a CHUNKING transfer, followed by a final cleartext byte on the same TCP connection.
Reported about 2 hours ago, the advisory says this triggers heap corruption and could allow an unauthenticated network attacker to execute arbitrary code. The flaw affects Exim in certain GnuTLS configurations, and the severity was rated 9.8.
Why this matters to businesses
Because Exim runs on mail gateways, mail servers and a lot of UNIX boxes, organisations that still trust default MTA setups are at real risk. If Exim is exploited, attackers can gain code execution on mail hosts, which means mailbox data, mail queues and server trust can be abused.
Since mail servers sit at the edge, successful exploitation can lead to operational outages, forensic costs, regulatory headaches and long incident calls that suck leadership time. And yes, patch later thinking will come back to bite you here.
If you’ve got the same weakness, here’s what happens next
If your Exim builds use GnuTLS and you’ve not applied the fix, an attacker who can reach your SMTP port could weaponise the BDAT parsing bug to gain code execution, move laterally or drop persistence.
Following that, you’re looking at service disruption while you reimage or rebuild mail nodes, possible interception or tampering with queued mail, and lengthy compliance reporting if user data is involved. The recovery costs and board time can outstrip the technical fix itself.
What to do on Monday morning
-
Inventory: Identify every Exim instance, note the version and whether it uses GnuTLS, and record which machines act as mail gateways, internal relays or submission hosts.
-
Patching: Apply the vendor fix or upgrade to Exim 4.99.3 or later where available, or disable BDAT chunking or GnuTLS for SMTP as a temporary mitigation if you can safely do so.
-
Access control: Isolate SMTP hosts behind strict network ACLs and limit which systems can connect to them, so exploitation surface is reduced while you patch.
-
Logging and detection: Turn on verbose mail and TLS logging, capture packet traces where feasible, and hunt for anomalous BDAT sequences or unexpected close_notify timing.
-
Incident readiness: Prepare rebuild playbooks and backups for mail queues and config files, plus a communications plan for customers and regulators if exploitation is suspected.
-
Supplier and change review: Check any third-party appliances or managed mail providers for Exim/GnuTLS exposure and force coordinated patching or compensating controls.
-
Test restores: Run a restore and reconfiguration drill for at least one mail host, because an untested backup is just a paper promise.
Where ISO standards fit, without the sales pitch
Given this is a high-severity remote code execution in a core service, an ISO 27001-aligned management system helps you track which systems run Exim, prioritise patch windows and enforce change controls, see ISO 27001 for practical alignment.
Since continuity and rapid recovery matter here, having ISO 22301 processes means you can fail over mail processing or restore services with less chaos, see ISO 22301.
For baseline technical controls and certification-ready checklists that map to common mail server risks, an IASME-aligned approach keeps your basic hygiene visible and repeatable, see IASME certifications.
Overall, these standards don’t stop a bug from existing, but they force the inventory, patch prioritisation and supplier checks that stop a small flaw turning into a full-blown breach.
Act now, because this one is both specific and exploitable.