Last updated: July 5, 2026 at 9:01 AM UTC
All 557 Vulnerability 199 Breach 106 Threat 245 Defense 7
Tag: unauth-rce (2 articles)Clear

Critical 'Dead.Letter' use-after-free in Exim mail server enables unauthenticated remote code execution over TLS - GnuTLS builds only (CVE-2026-45185)

Exim, the open-source mail transfer agent that ships as default on Debian and powers a large slice of internet mail, has a critical use-after-free in how it parses message bodies sent with the BDAT chunking extension over TLS. The flaw, CVE-2026-45185 (CVSS 9.8) and nicknamed Dead.Letter by discoverer XBOW, triggers when a TLS connection closes via close_notify mid-BDAT and Exim then processes one more cleartext byte. That byte gets written into already-freed memory, corrupting the heap, and XBOW turned it into an unauthenticated RCE primitive. Only Exim builds compiled with USE_GNUTLS=yes are affected; OpenSSL builds are not.

Check
Check installed Exim version and verify how the package was built (GnuTLS vs OpenSSL). Look for EHLO responses on TCP/25, /465, and /587 that advertise both STARTTLS and CHUNKING from any internet-facing MTA you own.
Affected
Exim versions 4.97 through 4.99.2 compiled with USE_GNUTLS=yes (the Debian default). Affects internet-facing MTAs that advertise both STARTTLS and CHUNKING (BDAT) - common on ISPs, shared hosting, university mail, and small relays.
Fix
Upgrade to Exim 4.99.3 or the matching distribution package (Debian DSA-6265-1 covers oldoldstable, oldstable, stable; Ubuntu 24.04 LTS shipped on May 12). Where patching is blocked, rebuild against OpenSSL or restrict SMTP ports to known peers.

Fortinet patches critical unauthenticated RCE flaws in FortiSandbox and FortiAuthenticator - identity and threat-detection products that protect everything else (CVE-2026-26083, CVE-2026-44277)

Fortinet patched two critical RCE flaws Tuesday. CVE-2026-44277 in FortiAuthenticator (Fortinet's IAM/MFA platform) lets unauthenticated attackers execute code via crafted requests. CVE-2026-26083 (CVSS 9.1) in FortiSandbox's web UI lets unauthenticated attackers run code via HTTP requests. Neither is confirmed exploited yet, but Fortinet products have a long exploitation history - CISA flagged FortiClient EMS as actively exploited in April. FortiSandbox is the threat-detection backbone for many Fortinet-centric SOCs; FortiAuthenticator gates MFA and SSO.

Check
Inventory FortiAuthenticator and FortiSandbox versions. Confirm management UIs aren't internet-reachable. Check logs for unfamiliar admin sessions since early May.
Affected
FortiAuthenticator before 6.5.7, 6.6.9, 8.0.3. FortiSandbox 5.0.0-5.0.1, 4.4.0-4.4.8. FortiAuthenticator Cloud (FortiTrust Identity) is not affected.
Fix
Upgrade FortiAuthenticator to 6.5.7, 6.6.9, or 8.0.3. Upgrade FortiSandbox to 5.0.2+, 4.4.9+, or 5.0.6+ (Cloud). Restrict management UIs to trusted IPs.