HostSEO Blog

Stories and News from IT Industry, Reviews & Tips | Technology Blog


Vulnerabilities are discovered very often in various computer programs, and most of them are quickly patched by developers. Typical vulnerabilities disappear almost un-noticed, since they are fixed by routine update schedules.

In fact, most vulnerabilities are never exploited, since they are discovered by security professionals rather than hackers, or are very difficult to execute.

However, some exploits can be extremely dangerous because they target common software found on many servers or workstations, and scripts are available online that allow even a user with little experience to compromise other systems. These require immediate action from system administrators and must be patched as soon as possible.

EXIM CVE-10149

The latest serious threat of this type is a vulnerability of the popular Linux mail server Exim, known as CVE-2019-10149.

It was discovered by Qualys and affects all versions of Exim from 4.87 to 4.91. A bug in the deliver_message() function in the file /src/deliver.c causes recipient address validation to be faulty. As a result, a single malicious email sent to the server is enough to allow remote command execution, as the root user.

Depending on the actual Exim configuration, some servers can be more resilient and require some manual work for a successful hack.

It is very easy to find out if your system is vulnerable by executing the following command on Red Hat systems:

The equivalent in Debian family operating systems will generate more verbose output:

In addition, a vulnerable Exim package will be identified by any up-to-date security scan and considered to be a high threat alert.


Unlike other hacks that usually only install crypto-currency miners that are easy to remove, the Exim exploit severely compromises the infected systems and can only be cleaned by an experienced system administrator.

It is easy to check if your server has been hacked, just look for any suspicious cron jobs. Removing the cron is not enough, since it will be installed again and is actually triggered from multiple locations, such as the rc.local file.

Other symptoms are the status of services such as FTP, which are often killed by the malware script.

In addition, the hack alters a number of system service files, as well as key binaries. In some cases, the only option is a restoration from backup or complete system reinstall.


The developers of WHM and cPanel were very quick to release a patched version of Exim for the newest WHM version.

After a few days, they also released patches for several older versions of WHM, in order to reduce the number of vulnerable servers. As a result, all WHM systems can be updated, stating with version 70.

Installing the patches is very easy. Most servers are configured to check for updates automatically every night, so there is a high chance that your system has already been patched and is fully protected.

Automatic updates can be configured from the Update Preferences menu of WHM. If you prefer to update your server manually, a yellow notification in the upper-right corner of the screen will alert you that a newer version is available.

Regardless if you choose automatic or manual updates, it is a good practice to check the Exim version afterwards, to make sure that it was patched.

This is because WHM updates can sometimes be blocked or fail due to various causes, such as insufficient disk space of incompatible services. However, the upgrade appears to be completed and you can only discover that new packages were not actually installed by inspecting the log files.


No patches are available for WHM servers older than version 70 but some systems are not affected by the Exim hack, simply because the package is so old that is not vulnerable.

If your server runs a version that can be exploited, you have to plan an upgrade as soon as possible because it will be eventually hacked.

The easiest way to upgrade is to provision a new server, with the latest CentOS and WHM. You can use the excellent Transfer Tool to migrate all domains from the old machine to the new one. If you must use obsolete services, such as php 5.3 or older, installing Cloud Linux is the best option.


Almost all Linux distributions will provide patched versions of Exim, so use your package manager to update from the command line.

These are the commands that have to be executed, on RedHat and Debian family operating systems:



The Exim vulnerability known as CVE-2019-10149 can result in a very serious hack on servers that are not patched in time, resulting in downtimes, loss of data or even the need of a full reinstall.

In order to protect your systems from future exploits, make sure you have a robust update schedule, so your servers are always running the latest packages.

Subscribe Now

10,000 successful online businessmen like to have our content directly delivered to their inbox. Subscribe to our newsletter!

Archive Calendar


Born in 2004 ... Trusted By Clients n' Experts

SEO Stars

They never made me feel silly for asking questions. Help me understand how to attract more people and improve my search engine ranking.

Read More

Emily Schneller Manager at Sabre Inc
SEO Stars

Took advantage of Hostseo's superb tech support and I must say, it is a very perfect one. It is very fast, servers reliability is incredible.

Read More

Leena Mäkinen Creative producer
SEO Stars

We're operating a worldwide network of servers with high quality standards requirements, we’ve choose hostseo to be our perfect partner.

Read More

Ziff Davis CEO at Mashable
SEO Stars

It’s very comfortable to know I can rely about all technical issues on Hostseo and mostly that my website and emails are safe and secured here.

Read More

Isaac H. Entrepreneur
SEO Stars

With hostseo as a hosting partner we are more flexible and save money due to the better packages with great pricing, free SEO n' free SSL too!

Read More

Madeline E. Internet Professional