CVE-2025-67896 - Exploiting Exim's Heap Buffer Overflow via Rate-Limit Configurations (Exim < 4.99.1)

---

Exim, the widely-used mail transfer agent (MTA), is once again in the spotlight after the announcement of CVE-2025-67896. This security issue impacts Exim versions before 4.99.1, specifically when certain non-default rate-limiting settings are enabled. Let’s walk through how this vulnerability works, why it’s dangerous, and what real-world exploitation could look like.

What Is CVE-2025-67896?

The bug is a remote heap-based buffer overflow. It happens because Exim processes records from its persistent database (like those used in rate-limiting counts) with unsafe casting — Exim turns raw database records straight into internal structure pointers *without* checking their length or format.

If an attacker can control or influence what’s stored in the rate-limit database, they may be able to inject malformed or oversized records. When Exim later reads these records, it overwrites heap memory, creating potential for remote code execution (RCE) or service crashes.

Where’s the Issue in the Code?

Here’s a greatly simplified version of the flawed logic (not the real Exim source, just for illustration):

typedef struct {
    int times_accessed;
    time_t last_access;
    char client_ip[64];
    // ...more fields
} ratelimit_record;

ratelimit_record *load_record(const char *data_from_db) {
    // Vulnerable: blindly casting data from db
    return (ratelimit_record *) data_from_db;
}

The right code pattern should check length and parse each field safely instead of raw casting.

Example Exploit Scenario

Let’s say your Exim config enables ratelimit = 1/hr /db (a non-default config to fight spam). The MTA saves a db record for every client IP connecting — such as how often they tried to send email.

If an attacker can insert a *large* or *malformed* record (perhaps by sending crafted network packets that create unexpected db entries), when Exim later retrieves this record, it treats the attacker-controlled data as a ratelimit_record struct. Overrunning the expected memory, the attacker can:

Proof-of-Concept (PoC) Pseudocode

*Please do not use this against systems you don’t own or have explicit permission to test.*

import socket

# Suppose Exim tracks each connecting IP in the database
attacker_ip = 'malicious.fake.ip'

# The attacker opens hundreds of connections with weird options that poison the record
for i in range(100):
    s = socket.socket()
    s.connect(('exim.target.example', 25))
    # Fake HELO, etc. to trigger record creation
    s.send(b'HELO example\r\n')
    # Send oddly long client identifiers or other tricks, depending on config
    s.send(b'BYE\r\n')
    s.close()

# Exim reads back poisoned records later and crashes or is exploited

References

- Official Exim Security Page
- CVE Details: CVE-2025-67896
- Exim 4.99.1 Release Notes

How Can You Fix It?

- Upgrade to Exim 4.99.1 or newer. This release properly validates and parses records from the rate-limit db.
- If you can’t immediately upgrade, disable rate-limiting features (especially custom or non-default configurations).

Takeaway

CVE-2025-67896 is a nasty bug that’s easy for attackers to hit when rate-limit db tracking is switched on. If you run Exim, patch immediately and audit your configs!


*This article is original and written based on available CVE details as of June 2024. Always consult your vendor and official advisories for critical security updates.*

Timeline

Published on: 12/14/2025 04:00:24 UTC
Last modified on: 12/22/2025 19:15:45 UTC