Cyber Resilience

CVE-2019-10149

CriticalCISA KEVActive ExploitationEUVD ExploitedPublic PoCRCE

Published: 05 June 2019

Published
05 June 2019
Modified
06 November 2025
KEV Added
10 January 2022
Patch
05 June 2019
CVSS Score v3.1 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.9392 99.9th percentile
Risk Priority 96 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2019-10149 is a critical-severity OS Command Injection (CWE-78) vulnerability in Canonical Ubuntu Linux. Its CVSS base score is 9.8 (Critical).

Operationally, ranked in the top 0.1% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Deeper analysis

A flaw was found in Exim versions 4.87 to 4.91 inclusive involving improper validation of recipient addresses in the deliver_message function within src/deliver.c. This issue, tracked as CWE-78, can result in remote command execution and carries a CVSS 3.1 score of 9.8 reflecting network-accessible attack vectors with no required privileges or user interaction.

An unauthenticated remote attacker can supply a crafted recipient address to trigger command execution on the affected mail server, potentially leading to full compromise of confidentiality, integrity, and availability.

Public references include OpenSUSE security announcements along with multiple Packet Storm and Full Disclosure postings that document proof-of-concept exploits for both remote command execution and subsequent local privilege escalation against the vulnerable versions.

EU & UK References

Vulnerability details

A flaw was found in Exim versions 4.87 to 4.91 (inclusive). Improper validation of recipient address in deliver_message() function in /src/deliver.c may lead to remote command execution.

CWE(s)
KEV Date Added
10 January 2022

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

exim
exim
4.87 — 4.91
canonical
ubuntu linux
18.04, 18.10
debian
debian linux
9.0

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires validation of recipient address inputs to block the crafted values that trigger OS command execution in deliver_message().

prevent

Mandates prompt installation of Exim patches that correct the improper recipient-address validation flaw (CWE-78).

detect

Enables monitoring of mail-server processes and command execution anomalies that would indicate successful exploitation of the RCE vector.

References