Dead.letter (CVE-2026-45185) Humans vs. LLM for Unauthenticated RCE Race on Exim
Key takeaways
- A story of encounters and misencounters, of broken hearts and quiet betrayals, of loves once thought to be forever turning out to be something else entirely.
- These pages are the by-product of the early days of testing a product we are building.
- I have spent almost ten years writing exploits professionally, and twenty in security altogether.
Back to Blog Dead.Letter (CVE-2026-45185) How XBOW found an unauthenticated RCE on Exim XBOW discovered CVE-2026-45185, a critical unauthenticated RCE in Exim, and used the disclosure window to test how far human and autonomous exploit development could go.
What follows is, before anything else, a story. One of those old, well-worn ones. A story of encounters and misencounters, of broken hearts and quiet betrayals, of loves once thought to be forever turning out to be something else entirely. Told, this time, in a setting where stories of that shape are not usually told.
These pages are the by-product of the early days of testing a product we are building. A product focused on finding and detecting vulnerabilities in native code. So what you are about to read is two things at once. It is the technical account of a vulnerability of worldwide reach that we found and reported and also it is, more quietly, the account of how I tried to make peace with the new shape of the world we are now living in.