## https://sploitus.com/exploit?id=PACKETSTORM:189388
# CVE 2025-26794
- Sat, 08 Feb 2025 21:14:37 +0100: reported
- by: "Oscar Bataille" <batailleoscar@protonmail.com>
- to: security@exim.org
- Sun, 9 Feb 2025 00:00:05 +0100: report confirmed
- Tue, 11 Feb 2025 00:23:34 +0100: issue confirmed
- Tue, 11 Feb 2025 00:23:34 +0100: issue confirmed
- Tue, 11 Feb 2025 12:54:10 +0000: CVE ID requested
- Fri, 14 Feb 2025 04:19:13 -0500: CVE ID 2025-26794 received
- Tue, 18 Feb 2025 20:56:25 +0100: sent notification to <distros@vs.openwall.org>
- Wed, 19 Feb 2025 23:07:02 +0100: sent notification to <oss-security@lists.openwall.com>, and <exim-users@lists.exim.org>
- Wed, 19 Feb 2025 23:07:02 +0100: sent notification to <oss-security@lists.openwall.com>, and <exim-users@lists.exim.org>
- Thu, 20 Feb 2025 18:36:34 +0100: sent notification to <exim-announce@lists.exim.org>
- Fri, 21 Feb 2025 13:00:00 +0100: published the changes on https://code.exim.org/exim/exim.git
## Details
A SQL injection is possible.
The following conditions have to be met for being vulnerable:
- Exim Version 4.98
- Build time option _USE_SQLITE_ is set (it enables the use of SQLite
for the hints databases) -- check the output of `exim -bV`, whether it
contains
```
Hints DB:
Using sqlite3
```
- Runtime config enables ETRN (`acl_smtp_etrn` returns _accept_
(defaults to _deny_))
- Runtime config enforces ETRN serialization (`smtp_etrn_serialize` is
set to _true_ (defaults to _true_))
## Acknowledgements
Thanks to Oscar Bataille for discovering and reporting this issue in a
responsible manner.