Wiz
Vulnerability DatabaseCVE-2023-51766

CVE-2023-51766
Exim vulnerability analysis and mitigation

Overview

CVE-2023-51766 affects Exim before version 4.97.1, allowing SMTP smuggling in certain PIPELINING/CHUNKING configurations. The vulnerability was discovered in December 2023 and enables remote attackers to inject email messages with spoofed MAIL FROM addresses, bypassing SPF protection mechanisms. This occurs because Exim supports certain line ending sequences that some other popular email servers do not (NVD, SEC Consult).

Technical details

The vulnerability requires specific conditions to be exploited: Exim must offer both PIPELINING and CHUNKING on incoming connections, and DATA (rather than BDAT) must be used for message reception. The attack leverages differences in how servers interpret line endings like 'LF . LF', 'CR LF . LF', or 'LF . CR LF'. When these conditions are met, attackers can inject additional SMTP commands as part of message data, leading to message smuggling (Exim Bug, SEC Consult). The vulnerability has been assigned a CVSS v3.1 base score of 5.3 (Medium) (NVD).

Impact

The vulnerability allows attackers to bypass SPF protection mechanisms and inject unauthorized email messages. When successfully exploited, attackers can send messages that appear to originate from legitimate domains, potentially enabling sophisticated phishing attacks. Messages accepted through this vulnerability bypass proper validation by the relay server (SEC Consult).

Mitigation and workarounds

The primary fix is to upgrade to Exim version 4.97.1 or later. For those unable to upgrade immediately, two workarounds are available: either disable CHUNKING advertisement for incoming connections (which will cause DATA command smuggling attempts to fail synchronization checks) or disable PIPELINING advertisement (which will cause smuggled MAIL FROM commands to fail synchronization checks) (Exim Bug).

Community reactions

The vulnerability disclosure process faced some criticism from the open-source community due to lack of coordination with affected projects. While some vendors like GMX and Microsoft quickly addressed the issue, others like Cisco initially classified it as a feature rather than a vulnerability. The disclosure timing just before the end-of-year holidays created additional challenges for administrators and projects (LWN).

Additional resources

SourceThis report was generated using AI

Related Exim vulnerabilities:

CVE ID

Severity

Score

Technologies

Component name

CISA KEV exploit

Has fix

Published date

CVE-2025-67896CRITICAL9.8
  • EximExim
  • exim4
NoYesDec 14, 2025
CVE-2025-26794CRITICAL9.8
  • EximExim
  • exim4
NoYesFeb 21, 2025
CVE-2025-30232HIGH7.8
  • EximExim
  • cpe:2.3:a:exim:exim
NoYesMar 28, 2025
CVE-2025-53881MEDIUM6.9
  • EximExim
  • exim
NoYesOct 02, 2025
CVE-2024-39929MEDIUM5.4
  • EximExim
  • exim-greylist
NoYesJul 04, 2024

Free Vulnerability Assessment

Benchmark your Cloud Security Posture

Evaluate your cloud security practices across 9 security domains to benchmark your risk level and identify gaps in your defenses.

Request assessment

Additional Wiz resources

Cloud Vulnerability DB

Cloud Vulnerability DB

A community-led vulnerabilities database

Cloud Threat Landscape

Cloud Threat Landscape

A threat intelligence database

PEACH

PEACH

A tenant isolation framework

Get a personalized demo

Ready to see Wiz in action?

"Best User Experience I have ever seen, provides full visibility to cloud workloads."
David EstlickCISO
"Wiz provides a single pane of glass to see what is going on in our cloud environments."
Adam FletcherChief Security Officer
"We know that if Wiz identifies something as critical, it actually is."
Greg PoniatowskiHead of Threat and Vulnerability Management
Get a demo