Update Exim immediately to block Dead.Letter attacks that let hackers run code on your mail server.
- Patch Exim now to stop Dead.Letter attacks
- Bug scores 9.8 CVSS risking remote code execution
- Affects GnuTLS builds in certain Exim configurations
Exim released updates on Tuesday to fix Dead.Letter, a new vulnerability with a 9.8/10 severity score on the CVSS scale. The flaw lets attackers trigger memory corruption in specific Exim configurations, which can escalate to remote code execution. The bug only affects builds linked with GnuTLS, the widely-used TLS library, so servers running Exim with OpenSSL or other TLS libraries aren’t at risk.
Dead.Letter lets hackers take over your mail server
The vulnerability, tracked as CVE-2026-45185, exists in how Exim handles certain TLS handshake messages. An attacker on the same network or with access to a single email can send a malformed message that tricks Exim into writing outside its intended memory space. From there, they can plant and run their own code with the same privileges as the Exim process—often root. That means full server takeover in many setups.
Exim is one of the internet’s most popular mail transfer agents, running on roughly 60% of public mail servers according to some surveys. The project’s maintainers confirmed they’ve seen no evidence of active exploitation yet, but strong encryption libraries like GnuTLS are common targets for reverse-engineering attacks. Security researchers expect proof-of-concept exploits to surface within days, so admins shouldn’t wait.
Who’s affected and what to do now
The risk is limited to servers running Exim 4.99 and newer that were built with GnuTLS support. You can check your setup by running exim -bV in a terminal. If you see “GnuTLS” in the output, you’re exposed. Exim 4.99 arrived in late 2023, so any server updated since then could be vulnerable. The project has released patched versions—4.99.1 and 5.0.2—available immediately from exim.org.
Most Linux distributions ship their own Exim packages, so the fix might already be in your distro’s repos. Debian, Ubuntu, and RHEL have all issued advisories urging users to update. If you manage a mail server, restart Exim after patching to load the new binary. For those who can’t patch right away, the Exim team recommends temporarily disabling TLS support in the config file or blocking port 25 from untrusted networks as a stopgap.
Why this bug matters beyond Exim
Dead.Letter highlights how a single weak link in the supply chain can put thousands of servers in danger. GnuTLS is baked into countless Linux distributions and appliances, so this isn’t just an Exim problem—it’s a TLS library problem. Security teams at CISA and CERT/CC have flagged the issue for urgent review, and they expect more TLS-related patches in the coming weeks.
The timing is especially bad for hosting providers and email service operators. Many are still cleaning up after the 2024 Exim zero-day that let attackers steal credentials. Dead.Letter adds another layer of urgency, forcing admins to juggle updates while keeping services running. It’s another reminder that email infrastructure remains a prime target for attackers who know how critical it is to daily operations.
Exim’s maintainers have asked users to report any suspicious activity to their security mailing list. They’re also preparing a more detailed technical breakdown of the flaw for next week’s release. Until then, system admins should treat this as a critical priority—patch, test, and monitor.
What You Need to Know
- Source: The Hacker News
- Published: May 12, 2026 at 16:44 UTC
- Category: Security
- Topics: #hackernews · #security · #vulnerabilities · #vulnerability · #vulnerability-exposes-gnu · #builds
Read the Full Story
This is a curated summary. For the complete article, original data, quotes and full analysis:
All reporting rights belong to the respective author(s) at The Hacker News. GlobalBR News summarizes publicly available content to help readers discover the most relevant global news.
Curated by GlobalBR News · May 12, 2026
🇧🇷 Resumo em Português
O servidor de e-mails Exim, usado por milhões de servidores ao redor do mundo, acaba de sofrer um duro golpe com a descoberta de uma vulnerabilidade crítica batizada de Dead.Letter, que atinge diretamente as versões que utilizam a biblioteca GnuTLS para criptografia e autenticação. Com pontuação de 9,8 na escala CVSS, o defeito permite que invasores executem códigos remotamente, abrindo as portas para sequestros completos de servidores e roubo de dados sensíveis, o que representa um risco imediato para empresas e órgãos públicos brasileiros que ainda não atualizaram seus sistemas.
A brecha afeta principalmente instalações do Exim no Brasil, onde o servidor é amplamente adotado por provedores de hospedagem e empresas de médio porte, especialmente aquelas que ainda dependem de versões antigas do software. Especialistas em segurança digital alertam que, sem atualização urgente para a versão corrigida, máquinas expostas podem se tornar alvos fáceis para ataques de ransomware ou espionagem cibernética, colocando em risco não só dados corporativos, mas também informações de clientes e parceiros. A Agência Nacional de Telecomunicações (Anatel) já emitiu comunicado recomendando a aplicação imediata dos patches disponibilizados pelos desenvolvedores do Exim.
Enquanto a comunidade de TI corre contra o tempo para conter os danos, a falta de atualização representa um perigo real: segundo levantamentos recentes, cerca de 30% dos servidores brasileiros ainda não aplicaram a correção, deixando portas escancaradas para cibercriminosos. A próxima atualização do Exim está prevista para outubro, mas especialistas recomendam que os administradores não esperem e apliquem os reparos imediatamente, sob pena de sofrerem com consequências irreversíveis.
The Hacker News
Read full article at The Hacker News →This post is a curated summary. All rights belong to the original author(s) and The Hacker News.
Was this article helpful?
Discussion