A critical severity vulnerability present in multiple versions of the Exim mail transfer agent software makes it possible for unauthenticated remote attackers to execute arbitrary commands on mail servers. The flaw impacts Exim versions 4.87 to 4.91 and it is caused by the improper validation of recipient addresses in the deliver_message() function in /src/deliver.c. The vulnerability tracked as CVE-2019-10149 and rated as critical can be exploited instantly “by a local attacker (and by a remote attacker in certain non-default configurations).”””
Source: https://www.bleepingcomputer.com/news/security/millions-of-exim-mail-servers-exposed-to-local-remote-attacks/