Security experts from Qualys have discovered a flaw, tracked as CVE-2020-7247, in OpenSMTPD.
The CVE-2020-7247 vulnerability is a local privilege escalation issue and remote code execution flaw that can be exploited by remote attackers to execute arbitrary code with root privileges on a server that uses the OpenSMTPD client.
An attacker could exploit the flaw by sending malformed SMTP messages to a vulnerable server.
The experts pointed out that exploitation had some limitations:
“Nevertheless, our ability to execute arbitrary shell commands through the local part of the sender address is rather limited:
The CVE-2020-7247 flaw was introduced in the OpenSMTPD in May 2018, but many
The experts also released a proof of concept exploit code for the vulnerability.