Millions of unpatched Exim email servers are potentially vulnerable to a set of bugs collectively called ‘21 Nails’ that could expose servers to cyberattacks. The vulnerabilities discovered by researchers at Qualys allow unauthenticated remote hackers to execute arbitrary code and gain root privilege on mail servers with default or common configurations.

According to Qualys, the popular mail transfer agent Exim contains 21 vulnerabilities, ten of which can be exploited remotely and other 11 issues are local flaws (the full list can be found here).

‘21 Nails’ flaws impact all versions of Exim before 4.94.2. “Some of the vulnerabilities can be chained together to obtain a full remote unauthenticated code execution and gain root privileges on the Exim Server,” Qualys said in a blog post.

The researchers noted that discovered vulnerabilities affect all Exim versions "going back all the way to 2004," meaning that most vulnerabilities have been present for 17 years.

According to a Shodan search, there are nearly four million known exposed Exim servers. A SecuritySpace survey from March estimated that 60% of visible mail servers use Exim.

Developers behind Exim have released a security update exim-4.94.2 that contains all changes on the exim-4.94+fixes branch and security fixes. Users are strongly advised to update their Exim instances as soon as possible.