Vulnerability detail
Enriched intelligence for a single CVE
Critical
CVE-2020-7247
PUBLISHEDsmtp_mailaddr in smtp_session.c in OpenSMTPD 6.6, as used in OpenBSD 6.6 and other products, allows remote attackers to execute arbitrary commands...
- Vendor
- OpenBSD
- Product
- OpenSMTPD
- Published
- Jan 29, 2020
- EPSS
- —
Description
smtp_mailaddr in smtp_session.c in OpenSMTPD 6.6, as used in OpenBSD 6.6 and other products, allows remote attackers to execute arbitrary commands as root via a crafted SMTP session, as demonstrated by shell metacharacters in a MAIL FROM field. This affects the "uncommented" default configuration. The issue exists because of an incorrect return value upon failure of input validation.
CVSS scores
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
AV:N/AC:L/Au:N/C:C/I:C/A:C
Exploitation status
Exploited in the wild
Recorded 2022-03-25 00:00:00 UTC · Source
SSVC decision points
- Exploitation
- active
- Automatable
- Yes
- Technical impact
- total
References
- https://www.openbsd.org/security.html
- http://www.openwall.com/lists/oss-security/2020/01/28/3
- https://github.com/openbsd/src/commit/9dcfda045474d8903224d175907bfc29761dcb45
- http://packetstormsecurity.com/files/156137/OpenBSD-OpenSMTPD-Privilege-Escalation-Code-Execution.html
- https://seclists.org/bugtraq/2020/Jan/51
- https://www.debian.org/security/2020/dsa-4611
- http://packetstormsecurity.com/files/156145/OpenSMTPD-6.6.2-Remote-Code-Execution.html
- https://www.kb.cert.org/vuls/id/390745
- http://seclists.org/fulldisclosure/2020/Jan/49
- http://packetstormsecurity.com/files/156249/OpenSMTPD-MAIL-FROM-Remote-Code-Execution.html
- http://packetstormsecurity.com/files/156295/OpenSMTPD-6.6.1-Local-Privilege-Escalation.html
- https://usn.ubuntu.com/4268-1/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/OPH4QU4DNVHA7ACFXMYFCEP5PSXXPN4E/
- http://packetstormsecurity.com/files/162093/OpenBSD-OpenSMTPD-6.6-Remote-Code-Execution.html
Known exploited vulnerability sources
Catalogues that list this CVE as a known exploited vulnerability.
| Source | Added |
|---|---|
| CISA | Mar 25, 2022 |
Scanner integrations
| Scanner | Reference | Detected |
|---|---|---|
| Metasploit | https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/unix/smtp/opensmtpd_mail_from_rce.rb | Apr 28, 2025 |
| Nuclei | https://github.com/projectdiscovery/nuclei-templates/blob/main/javascript/cves/2020/CVE-2020-7247.yaml | Apr 25, 2025 |
Potential proof of concepts
These PoCs are unverified and could contain malware. Use at your own risk.
github · Created 2021-11-26 17:28:56 UTC · 2 stars
Proof of concept for CVE-2020-7247 for educational purposes.
github · Created 2021-06-19 07:34:42 UTC · 2 stars
PoC exploit for CVE-2020-7247 OpenSMTPD 6.4.0 < 6.6.1 Remote Code Execution
github · Created 2021-06-02 12:02:33 UTC · 0 stars
This vulnerability exists in OpenBSD’s mail server OpenSMTPD’s “smtp_mailaddr()” function, and affects OpenBSD version 6.6. This allows an attacker to execute arbitrary shell commands like “sleep 66” as root user
github · Created 2021-02-13 06:57:47 UTC · 11 stars
OpenSMTPD 6.4.0 - 6.6.1 Remote Code Execution PoC exploit
github · Created 2020-02-18 10:52:38 UTC · 3 stars
Proof Of Concept Exploit for CVE-2020-7247 (Remote Execution on OpenSMTPD < 6.6.2
Timeline
-
CVE ID Reserved
-
CVE Published to Public
-
Added to KEVIntel
-
Detected by Nuclei
-
Detected by Metasploit