21Nails Vulnerabilities affect 60% of all Mail Servers on the Web

Using vulnerabilities, hackers can take control of the server and intercept or interact with messages passing through it.


The Exim mail server software support team has released fixes for 21 vulnerabilities that allow you to take control of a server using both local and remote attack vectors. A series of vulnerabilities called 21Nails was discovered by Qualys. With its help, attackers can take control of the server in order to intercept or interact with e-mails passing through it.

21Nails includes 11 vulnerabilities that require local access to the server to exploit, and 10 vulnerabilities that can be exploited remotely.

The problem affects all versions of Exim released in the last 17 years (since 2004). To avoid possible cyber attacks, server owners are strongly advised to update them to version 4.94.

Previous vulnerabilities in Exim, disclosed in 2019-2020, were actively exploited by hacker groups, both financially motivated and working for the government. Most often, attackers exploited a vulnerability ( CVE-2019-10149 ) known as Return of the WIZard.

Qualys researchers say they will not publish exploits for all 21Nails Exim vulnerabilities. However, the Exim command notification contains enough information to enable attackers to design effective exploits.

Here are the summary of all 21 Vulnerabilities 

CVE Description Type
CVE-2021-27216 Arbitrary file deletion Local
CVE-2020-28007 Link attack in Exim’s log directory Local
CVE-2020-28008 Assorted attacks in Exim’s spool directory Local
CVE-2020-28009 Integer overflow in get_stdinput() Local
CVE-2020-28010 Heap out-of-bounds write in main() Local
CVE-2020-28011 Heap buffer overflow in queue_run() Local
CVE-2020-28012 Missing close-on-exec flag for privileged pipe Local
CVE-2020-28013 Heap buffer overflow in parse_fix_phrase() Local
CVE-2020-28014 Arbitrary file creation and clobbering Local
CVE-2020-28015 New-line injection into spool header file (local) Remote
CVE-2020-28016 DHeap out-of-bounds write in parse_fix_phrase() Remote
CVE-2020-28017 Integer overflow in receive_add_recipient() Remote
CVE-2020-28018 Use-after-free in tls-openssl.c Remote
CVE-2020-28019 Failure to reset function pointer after BDAT error Remote
CVE-2020-28020 Integer overflow in receive_msg() Remote
CVE-2020-28021 New-line injection into spool header file (remote) Remote
CVE-2020-28022 Heap out-of-bounds read and write in extract_option() Remote
CVE-2020-28023 Out-of-bounds read in smtp_setup_msg() Remote
CVE-2020-28024 Heap buffer underflow in smtp_ungetc() Remote
CVE-2020-28025 Heap out-of-bounds read in pdkim_finish_bodyhash() Remote
CVE-2020-28026 Line truncation and injection in spool_read_header() Remote

Successful exploitation of these vulnerabilities would allow a remote attacker to gain full root privileges on the target server and execute commands to install programs, modify data, and create new accounts. Currently Shodan shows over 3.8 million Exim servers accessible over the Internet.