©2026 Cisco and/or its affiliates. Snort, the Snort and Pig logo are registered trademarks of Cisco. All rights reserved.
SERVER-MAIL -- Snort has detected traffic exploiting vulnerabilities in mail servers (such as Exchange, Courrier). These are different from protocol traffic, as this deals with the traffic going to the mail server itself.
SERVER-MAIL Exim ETRN SQL injection attempt
This rule looks for SMTP "ETRN" commands that contain characters commonly used in SQL injection payloads. Successful exploitation could allow an attacker to execute arbitrary SQL statements on the mail server's database.
This rule fires on attempts to exploit a SQL injection vulnerability in Exim mail servers.
Public information/Proof of Concept available
Known false positives, with the described conditions
This rule looks for ETRN commands that contain a single quote anywhere in its argument.
Cisco Talos Intelligence Group
MITRE::ATT&CK Framework::Enterprise::Initial Access::Exploit Public-Facing Application
Rule Categories::Server::Mail
Vulnerability::Severity::Critical
Vulnerability::Severity::High
SQL Injection
SQL Injection attacks target PHP and ASP applications primarily and involve SQL queries or commands added to unverified user input. A successful attack can lead to data leaks (entirely exposed data), database modification (data deletion or tampering), administrative permissions misuse, and sometimes direct commands passed to the operating system.
CVE-2025-26794 |
Loading description
|
©2026 Cisco and/or its affiliates. Snort, the Snort and Pig logo are registered trademarks of Cisco. All rights reserved.