Dead.Letter (CVE-2026-45185): Unauthenticated RCE in Exim Discovered by XBOW

XBOW researchers have uncovered a bug in the Exim mail transfer agent, dubbed Dead.Letter and assigned CVE-2026-45185. The flaw enables an unauthenticated attacker to execute arbitrary code on the server. In plain English, to hack your mail server, the attacker doesn't even need a password—just a specially crafted email.

The issue lies in attachment handling, one of the oldest and most crufty parts of Exim's codebase. Developers have likely stared at this code for so long that they stopped noticing the obvious holes. It's like searching for your keys for days when they've been on the table all along.

The vulnerability has been patched in the latest Exim release, so update immediately. If you're still postponing that update, imagine your mail server as a door with no lock—and attackers already have a master key.

METABYTE studio comment: Exim is a powerful tool, but its security requires regular audits. We help clients not only configure mail servers but also scan them for vulnerabilities before attackers do. Trust us, paying for an audit is cheaper than dealing with an RCE aftermath.