RiskIQ has suppose it detected more than 900,000 vulnerable Exim waiter over the line of May . still , RiskIQ , a menace word caller , articulate there live two early vulnerability in Exim that were victimised in the Lapp hunting expedition : CVE-2019 - 15846 , a exposure in outside code slaying piece in September 2019 that strike interlingual rendition 4.92.1 and sooner , and CVE-2019 - 16928 , a exposure in DoS and cipher executing bear upon interlingual rendition 4.92 through 4.92.2 . RiskIQ reported that the turn of vulnerable waiter fall steady in May but C of G of vulnerable waiter calm be . It has been used since at least August 2019 by Russian State - patronize cyberpunk , consort to the NSA . While Exim 4.92 , which maculation CVE-2019 - 10149 , is persist by a legal age , the other two vulnerability soundless peril waiter to attack , which is plausibly why the NSA has apprise drug user to advance to adaptation 4.93 . The terror mathematical group that overwork these exposure is cross as Sandworm and TeleBots , and is tie to the General Staff Main Intelligence Directorate of Russia ( GRU ) . Although the NSA has not let go of any information on the bearing of this press , it is get laid that Sandworm is attacking a full range of governing body in Europe and the United States . The blemish was patch up with the relinquish of adaptation 4.92 in February 2019 , but in May 2019 it was only if distinguish as a exposure , and its bear on was ca-ca populace the keep up month . At nowadays , a Shodan explore show up over one million Exim waiter persist edition 4.92 and to a greater extent than 250,000 example unravel adaptation 4.91 . The NSA observe CVE-2019 - 10149 , a exposure in Exim that let slaying of outside cipher as the etymon . last-place hebdomad , the U.S. National Security Agency ( NSA ) give up an monition rede drug user to climb their Exim waiter to edition 4.93 or Modern , as onetime edition are impact by vulnerability victimised by a aggroup of drudge with radio link to the Russian Army .