Rule Document 1:66674

Report a false positive

Rule Category

SERVER-MAIL -- Snort has detected traffic exploiting vulnerabilities in mail servers (such as Exchange, Courrier). These are different from protocol traffic, as this deals with the traffic going to the mail server itself.

Alert Message

SERVER-MAIL Exim ETRN SQL injection attempt

Rule Explanation

This rule looks for SMTP "ETRN" commands that contain characters commonly used in SQL injection payloads. Successful exploitation could allow an attacker to execute arbitrary SQL statements on the mail server's database.

What To Look For

This rule fires on attempts to exploit a SQL injection vulnerability in Exim mail servers.

Known Usage

Public information/Proof of Concept available

False Positives

Known false positives, with the described conditions

This rule looks for ETRN commands that contain a single quote anywhere in its argument.

Contributors

Cisco Talos Intelligence Group

Rule Groups

MITRE::ATT&CK Framework::Enterprise::Initial Access::Exploit Public-Facing Application

Rule Categories::Server::Mail

Vulnerability::Severity::Critical

Vulnerability::Severity::High

CVE

CVE-2025-26794

Additional Links

www.exim.org/static/doc/security/CVE-2025-26794.txt

Rule Vulnerability

SQL Injection

SQL Injection attacks target PHP and ASP applications primarily and involve SQL queries or commands added to unverified user input. A successful attack can lead to data leaks (entirely exposed data), database modification (data deletion or tampering), administrative permissions misuse, and sometimes direct commands passed to the operating system.

CVE Additional Information

This product uses data from the NVD API but is not endorsed or certified by the NVD.
CVE-2025-26794
 Loading description