VIR Vulnerability Intelligence Relay

CVE-2020-7247

critical KEV
Published 2022-03-25 · Modified 2022-03-25
CVSS v3
CVSS v2
VIR risk
10.0

Description

smtp_mailaddr in smtp_session.c in OpenSMTPD, as used in OpenBSD and other products, allows remote attackers to execute arbitrary commands as root via a crafted SMTP session.

CISA KEV

Vendor
OpenBSD
Product
OpenSMTPD
Due date
2022-04-15

Predictions

Exploit likelihood
99%
Patch ETA

Heuristic predictions, AS-IS, for prioritization only.

Mitigations

vendor Authored 2026-05-27

Vendor advisory: cisa-kev — https://nvd.nist.gov/vuln/detail/CVE-2020-7247

vendor Authored 2026-05-27

Vendor advisory: debian — https://security-tracker.debian.org/tracker/CVE-2020-7247

vendor Authored 2026-05-27

Vendor advisory: arch — https://security.archlinux.org/ASA-202001-6

Exploits

OS impact
OSVersionStatusFixed in
arch archfixed6.6.2p1-1
debian debianbookwormfixed6.6.2p1-1
debian debianbullseyefixed6.6.2p1-1
debian debianforkyfixed6.6.2p1-1
debian debiansidfixed6.6.2p1-1
debian debiantrixiefixed6.6.2p1-1

References

Verify integrity in audit chain (admin only). AS-IS.