Security researchers have discovered a new critical vulnerability in the OpenSMTPD email server. An attacker could exploit it remotely to run shell commands as root on the underlying operating system. OpenSMTPD is present on many Unix-based systems, including FreeBSD, NetBSD, macOS, Linux (Alpine, Arch, Debian, Fedora, CentOS).
Bug present since late 2015
Tracked as CVE-2020-8794, the remote code execution bug is present in OpenSMTPD's default installation. Proof-of-concept (PoC) exploit code has been created and will be released tomorrow, February 26.