Cyber Posture

CVE-2025-26794

High

Published: 21 February 2025

Published
21 February 2025
Modified
18 December 2025
KEV Added
Patch
CVSS Score 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
EPSS Score 0.7509 98.9th percentile
Risk Priority 60 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-26794 is a high-severity SQL Injection (CWE-89) vulnerability in Exim Exim. Its CVSS base score is 7.5 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Application or System Exploitation (T1499.004); ranked in the top 1.1% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Threat & Defense at a Glance

What attackers do: exploitation maps to Application or System Exploitation (T1499.004). What defenders deploy: see the NIST 800-53 controls recommended below.
Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match
prevent

Timely flaw remediation through patching Exim to version 4.98.1 or later directly eliminates the SQL injection vulnerability in SQLite hints and ETRN serialization.

SI-10 Information Input Validation good match
prevent

Information input validation prevents SQL injection attacks by ensuring inputs to Exim's SQLite database are properly checked and sanitized.

SC-5 Denial-of-service Protection partial match
preventdetect

Denial-of-service protection mitigates the high-availability impact of the SQL injection by limiting traffic rates and detecting anomalous patterns in Exim.

MITRE ATT&CK Enterprise TechniquesAI

T1499.004 Application or System Exploitation Impact
Adversaries may exploit software vulnerabilities that can cause an application or system to crash and deny availability to users.
attack.mitre.org →
Why these techniques?

Remote SQL injection in public-facing Exim MTA directly enables exploitation of the application to cause denial of service (high availability impact, no C/I), mapping to application/system exploitation for endpoint DoS.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

NVD Description

Exim 4.98 before 4.98.1, when SQLite hints and ETRN serialization are used, allows remote SQL injection. (Resolving SQL injection requires an update to 4.99.1 in certain non-default rate-limit configurations.)

Deeper analysisAI

CVE-2025-26794 is a remote SQL injection vulnerability (CWE-89) in Exim 4.98 before 4.98.1. The issue arises when SQLite hints and ETRN serialization features are enabled, allowing injection into SQLite databases used by Exim, a popular mail transfer agent (MTA).

Remote attackers require no privileges or user interaction and can exploit the vulnerability over the network with low attack complexity (CVSS v3.1 score of 7.5: AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H). Exploitation results in high-impact denial of service, potentially disrupting mail delivery without compromising confidentiality or integrity.

Exim security advisories recommend updating to version 4.98.1 to address the vulnerability. However, in certain non-default rate-limit configurations, resolving the SQL injection fully requires an update to 4.99.1. Additional details are available in the Exim security report at https://exim.org/static/doc/security/EXIM-Security-2025-12-09.1/report.txt, the patch commit at https://code.exim.org/exim/exim/exim/commit/bfe32b5c6ea033736a26da8421513206db9fe305, and related resources on https://exim.org and https://github.com/Exim/exim/wiki/EximSecurity.

Details

CWE(s)
CWE-89

Affected Products

exim
exim
4.98 — 4.98.1

CVEs Like This One

CVE-2026-40684Same product: Exim Exim
CVE-2026-40687Same product: Exim Exim
CVE-2026-40685Same product: Exim Exim
CVE-2025-30232Same product: Exim Exim
CVE-2025-67896Same product: Exim Exim
CVE-2024-57652Shared CWE-89
CVE-2024-57626Shared CWE-89
CVE-2024-57643Shared CWE-89
CVE-2024-57656Shared CWE-89
CVE-2024-57629Shared CWE-89

References