CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
SINGLE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:N/AC:L/Au:S/C:C/I:C/A:C
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
AI Score
Confidence
High
EPSS
Percentile
99.8%
A remote code execution vulnerability exists in Microsoft Exchange software when the software fails to properly handle objects in memory, aka ‘Microsoft Exchange Memory Corruption Vulnerability’.
Recent assessments:
zeroSteiner at February 26, 2020 5:02pm UTC reported:
This is a serialization bug in the Exchange Control Panel component of the Microsoft Exchange server. The write up by ZDI outlines an exploitation path in grate detail how the vulnerability would be leveraged to gain command execution as NT_AUTHORITY\SYSTEM
on the server.
The root of the issue is that the validationKey
is not randomized at installation time, resulting in Exchange servers using an attacker known value. This value can be used to submit crafted data to the server that passes validation checks and is ultimately deserialized which can result in code execution.
The important values from the write up are:
validationkey = CB2721ABDAF8E9DC516D621D8B8BF13A2C9E8689A25303BF
validationalg = SHA1
I anticipate that the largest barrier to developing a PoC for this will be setting up and configuring a target environment. Exploiting this vulnerability requires authenticating as a user. The user must be a member of the Domain Users
group and have a configured mailbox in Exchange.
The ViewState must be transferred within a GET request, POST can not be used. This introduces size restrictions on the OS command that can be executed.
hartescout at February 26, 2020 2:30am UTC reported:
This is a serialization bug in the Exchange Control Panel component of the Microsoft Exchange server. The write up by ZDI outlines an exploitation path in grate detail how the vulnerability would be leveraged to gain command execution as NT_AUTHORITY\SYSTEM
on the server.
The root of the issue is that the validationKey
is not randomized at installation time, resulting in Exchange servers using an attacker known value. This value can be used to submit crafted data to the server that passes validation checks and is ultimately deserialized which can result in code execution.
The important values from the write up are:
validationkey = CB2721ABDAF8E9DC516D621D8B8BF13A2C9E8689A25303BF
validationalg = SHA1
I anticipate that the largest barrier to developing a PoC for this will be setting up and configuring a target environment. Exploiting this vulnerability requires authenticating as a user. The user must be a member of the Domain Users
group and have a configured mailbox in Exchange.
The ViewState must be transferred within a GET request, POST can not be used. This introduces size restrictions on the OS command that can be executed.
J3rryBl4nks at March 02, 2020 10:11pm UTC reported:
This is a serialization bug in the Exchange Control Panel component of the Microsoft Exchange server. The write up by ZDI outlines an exploitation path in grate detail how the vulnerability would be leveraged to gain command execution as NT_AUTHORITY\SYSTEM
on the server.
The root of the issue is that the validationKey
is not randomized at installation time, resulting in Exchange servers using an attacker known value. This value can be used to submit crafted data to the server that passes validation checks and is ultimately deserialized which can result in code execution.
The important values from the write up are:
validationkey = CB2721ABDAF8E9DC516D621D8B8BF13A2C9E8689A25303BF
validationalg = SHA1
I anticipate that the largest barrier to developing a PoC for this will be setting up and configuring a target environment. Exploiting this vulnerability requires authenticating as a user. The user must be a member of the Domain Users
group and have a configured mailbox in Exchange.
The ViewState must be transferred within a GET request, POST can not be used. This introduces size restrictions on the OS command that can be executed.
theguly at February 28, 2020 4:45pm UTC reported:
This is a serialization bug in the Exchange Control Panel component of the Microsoft Exchange server. The write up by ZDI outlines an exploitation path in grate detail how the vulnerability would be leveraged to gain command execution as NT_AUTHORITY\SYSTEM
on the server.
The root of the issue is that the validationKey
is not randomized at installation time, resulting in Exchange servers using an attacker known value. This value can be used to submit crafted data to the server that passes validation checks and is ultimately deserialized which can result in code execution.
The important values from the write up are:
validationkey = CB2721ABDAF8E9DC516D621D8B8BF13A2C9E8689A25303BF
validationalg = SHA1
I anticipate that the largest barrier to developing a PoC for this will be setting up and configuring a target environment. Exploiting this vulnerability requires authenticating as a user. The user must be a member of the Domain Users
group and have a configured mailbox in Exchange.
The ViewState must be transferred within a GET request, POST can not be used. This introduces size restrictions on the OS command that can be executed.
xFreed0m at March 10, 2020 2:34pm UTC reported:
This is a serialization bug in the Exchange Control Panel component of the Microsoft Exchange server. The write up by ZDI outlines an exploitation path in grate detail how the vulnerability would be leveraged to gain command execution as NT_AUTHORITY\SYSTEM
on the server.
The root of the issue is that the validationKey
is not randomized at installation time, resulting in Exchange servers using an attacker known value. This value can be used to submit crafted data to the server that passes validation checks and is ultimately deserialized which can result in code execution.
The important values from the write up are:
validationkey = CB2721ABDAF8E9DC516D621D8B8BF13A2C9E8689A25303BF
validationalg = SHA1
I anticipate that the largest barrier to developing a PoC for this will be setting up and configuring a target environment. Exploiting this vulnerability requires authenticating as a user. The user must be a member of the Domain Users
group and have a configured mailbox in Exchange.
The ViewState must be transferred within a GET request, POST can not be used. This introduces size restrictions on the OS command that can be executed.
todb-r7 at April 09, 2020 2:08pm UTC reported:
This is a serialization bug in the Exchange Control Panel component of the Microsoft Exchange server. The write up by ZDI outlines an exploitation path in grate detail how the vulnerability would be leveraged to gain command execution as NT_AUTHORITY\SYSTEM
on the server.
The root of the issue is that the validationKey
is not randomized at installation time, resulting in Exchange servers using an attacker known value. This value can be used to submit crafted data to the server that passes validation checks and is ultimately deserialized which can result in code execution.
The important values from the write up are:
validationkey = CB2721ABDAF8E9DC516D621D8B8BF13A2C9E8689A25303BF
validationalg = SHA1
I anticipate that the largest barrier to developing a PoC for this will be setting up and configuring a target environment. Exploiting this vulnerability requires authenticating as a user. The user must be a member of the Domain Users
group and have a configured mailbox in Exchange.
The ViewState must be transferred within a GET request, POST can not be used. This introduces size restrictions on the OS command that can be executed.
ccondon-r7 at March 06, 2020 11:31pm UTC reported:
This is a serialization bug in the Exchange Control Panel component of the Microsoft Exchange server. The write up by ZDI outlines an exploitation path in grate detail how the vulnerability would be leveraged to gain command execution as NT_AUTHORITY\SYSTEM
on the server.
The root of the issue is that the validationKey
is not randomized at installation time, resulting in Exchange servers using an attacker known value. This value can be used to submit crafted data to the server that passes validation checks and is ultimately deserialized which can result in code execution.
The important values from the write up are:
validationkey = CB2721ABDAF8E9DC516D621D8B8BF13A2C9E8689A25303BF
validationalg = SHA1
I anticipate that the largest barrier to developing a PoC for this will be setting up and configuring a target environment. Exploiting this vulnerability requires authenticating as a user. The user must be a member of the Domain Users
group and have a configured mailbox in Exchange.
The ViewState must be transferred within a GET request, POST can not be used. This introduces size restrictions on the OS command that can be executed.
tsellers-r7 at March 05, 2020 10:29pm UTC reported:
This is a serialization bug in the Exchange Control Panel component of the Microsoft Exchange server. The write up by ZDI outlines an exploitation path in grate detail how the vulnerability would be leveraged to gain command execution as NT_AUTHORITY\SYSTEM
on the server.
The root of the issue is that the validationKey
is not randomized at installation time, resulting in Exchange servers using an attacker known value. This value can be used to submit crafted data to the server that passes validation checks and is ultimately deserialized which can result in code execution.
The important values from the write up are:
validationkey = CB2721ABDAF8E9DC516D621D8B8BF13A2C9E8689A25303BF
validationalg = SHA1
I anticipate that the largest barrier to developing a PoC for this will be setting up and configuring a target environment. Exploiting this vulnerability requires authenticating as a user. The user must be a member of the Domain Users
group and have a configured mailbox in Exchange.
The ViewState must be transferred within a GET request, POST can not be used. This introduces size restrictions on the OS command that can be executed.
gwillcox-r7 at October 20, 2020 6:47pm UTC reported:
This is a serialization bug in the Exchange Control Panel component of the Microsoft Exchange server. The write up by ZDI outlines an exploitation path in grate detail how the vulnerability would be leveraged to gain command execution as NT_AUTHORITY\SYSTEM
on the server.
The root of the issue is that the validationKey
is not randomized at installation time, resulting in Exchange servers using an attacker known value. This value can be used to submit crafted data to the server that passes validation checks and is ultimately deserialized which can result in code execution.
The important values from the write up are:
validationkey = CB2721ABDAF8E9DC516D621D8B8BF13A2C9E8689A25303BF
validationalg = SHA1
I anticipate that the largest barrier to developing a PoC for this will be setting up and configuring a target environment. Exploiting this vulnerability requires authenticating as a user. The user must be a member of the Domain Users
group and have a configured mailbox in Exchange.
The ViewState must be transferred within a GET request, POST can not be used. This introduces size restrictions on the OS command that can be executed.
jbarto at February 28, 2020 4:51pm UTC reported:
This is a serialization bug in the Exchange Control Panel component of the Microsoft Exchange server. The write up by ZDI outlines an exploitation path in grate detail how the vulnerability would be leveraged to gain command execution as NT_AUTHORITY\SYSTEM
on the server.
The root of the issue is that the validationKey
is not randomized at installation time, resulting in Exchange servers using an attacker known value. This value can be used to submit crafted data to the server that passes validation checks and is ultimately deserialized which can result in code execution.
The important values from the write up are:
validationkey = CB2721ABDAF8E9DC516D621D8B8BF13A2C9E8689A25303BF
validationalg = SHA1
I anticipate that the largest barrier to developing a PoC for this will be setting up and configuring a target environment. Exploiting this vulnerability requires authenticating as a user. The user must be a member of the Domain Users
group and have a configured mailbox in Exchange.
The ViewState must be transferred within a GET request, POST can not be used. This introduces size restrictions on the OS command that can be executed.
Assessed Attacker Value: 5
Assessed Attacker Value: 5Assessed Attacker Value: 4
packetstormsecurity.com/files/156592/Microsoft-Exchange-2019-15.2.221.12-Remote-Code-Execution.html
packetstormsecurity.com/files/156620/Exchange-Control-Panel-Viewstate-Deserialization.html
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-0688
github.com/W01fh4cker/CVE-2020-0688-GUI
portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0688
www.zerodayinitiative.com/advisories/ZDI-20-258
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
SINGLE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:N/AC:L/Au:S/C:C/I:C/A:C
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
AI Score
Confidence
High
EPSS
Percentile
99.8%