Back to KEVs

CVE-2020-7247

smtp_mailaddr in smtp_session.c in OpenSMTPD 6.6, as used in OpenBSD 6.6 and other products, allows remote attackers to execute arbitrary commands...

Basic Information

CVE State: PUBLISHED
Reserved Date: January 20, 2020
Published Date: January 29, 2020
Last Updated: February 04, 2025
Vendor: n/a
Product: n/a
Description: smtp_mailaddr in smtp_session.c in OpenSMTPD 6.6, as used in OpenBSD 6.6 and other products, allows remote attackers to execute arbitrary commands as root via a crafted SMTP session, as demonstrated by shell metacharacters in a MAIL FROM field. This affects the "uncommented" default configuration. The issue exists because of an incorrect return value upon failure of input validation.

CVSS Scores

CVSS v3.1

9.8 - CRITICAL

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

SSVC Information

Exploitation: active
Automatable: Yes
Technical Impact: total

Exploit Status

Exploited in the Wild: Yes (added 2022-03-25 00:00:00 UTC) Source
Proof of Concept Available: Yes (added 2021-11-26 17:28:56 UTC) Source

References

https://www.openbsd.org/security.html http://www.openwall.com/lists/oss-security/2020/01/28/3 https://github.com/openbsd/src/commit/9dcfda045474d8903224d175907bfc29761dcb45 http://packetstormsecurity.com/files/156137/OpenBSD-OpenSMTPD-Privilege-Escalation-Code-Execution.html https://seclists.org/bugtraq/2020/Jan/51 https://www.debian.org/security/2020/dsa-4611 http://packetstormsecurity.com/files/156145/OpenSMTPD-6.6.2-Remote-Code-Execution.html https://www.kb.cert.org/vuls/id/390745 http://seclists.org/fulldisclosure/2020/Jan/49 http://packetstormsecurity.com/files/156249/OpenSMTPD-MAIL-FROM-Remote-Code-Execution.html http://packetstormsecurity.com/files/156295/OpenSMTPD-6.6.1-Local-Privilege-Escalation.html https://usn.ubuntu.com/4268-1/ https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/OPH4QU4DNVHA7ACFXMYFCEP5PSXXPN4E/ http://packetstormsecurity.com/files/162093/OpenBSD-OpenSMTPD-6.6-Remote-Code-Execution.html

Known Exploited Vulnerability Information

Source	Added Date
CISA	2022-03-25 00:00:00 UTC

Scanner Integrations

Scanner	URL	Date Detected
Metasploit	https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/unix/smtp/opensmtpd_mail_from_rce.rb	2025-04-29 11:01:27 UTC
Nuclei	https://github.com/projectdiscovery/nuclei-templates/blob/main/javascript/cves/2020/CVE-2020-7247.yaml	2025-04-26 00:00:00 UTC

Potential Proof of Concepts

Warning: These PoCs have not been tested and could contain malware. Use at your own risk.

opensmtpd_mail_from_rce

Type: metasploit • Created: Unknown

Metasploit module for CVE-2020-7247

SimonSchoeni/CVE-2020-7247-POC

Type: github • Created: 2021-11-26 17:28:56 UTC • Stars: 2

Proof of concept for CVE-2020-7247 for educational purposes.

f4T1H21/CVE-2020-7247

Type: github • Created: 2021-06-19 07:34:42 UTC • Stars: 2

PoC exploit for CVE-2020-7247 OpenSMTPD 6.4.0 < 6.6.1 Remote Code Execution

bytescrappers/CVE-2020-7247

Type: github • Created: 2021-06-02 12:02:33 UTC • Stars: 0

This vulnerability exists in OpenBSD’s mail server OpenSMTPD’s “smtp_mailaddr()” function, and affects OpenBSD version 6.6. This allows an attacker to execute arbitrary shell commands like “sleep 66” as root user

QTranspose/CVE-2020-7247-exploit

Type: github • Created: 2021-02-13 06:57:47 UTC • Stars: 11

OpenSMTPD 6.4.0 - 6.6.1 Remote Code Execution PoC exploit

r0lh/CVE-2020-7247

Type: github • Created: 2020-02-18 10:52:38 UTC • Stars: 3

Proof Of Concept Exploit for CVE-2020-7247 (Remote Execution on OpenSMTPD < 6.6.2