Updated exim packages are available, which fix a problem when handling certain types of addresses with some configurations. The default configuration does not exhibit this problem.
When the local exim configuration directs or routes an address to a pipe transport without verifying that the local part is valid, the command encoded in the local part will be executed. This problem does not apply to pipes run from alias or forward files since the local part is verified in that case. However if, for example, all incoming mail is filtered in some way (perhaps with a virus checker) without verifying that the local part is valid then your site may be affected by this problem. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2001-0889 to this issue. It is recommended that all exim users upgrade to provided packages.