Microsoft Exchange Remote Code Execution Vulnerability
CVE-2023-35368

8.8HIGH

Key Information:

Vendor: Microsoft
Status: Microsoft Exchange Server 2019 Cumulative Update 13; Microsoft Exchange Server 2016 Cumulative Update 23; Microsoft Exchange Server 2019 Cumulative Update 12
Vendor: CVE Published:; 8 August 2023

Summary

A remote code execution vulnerability exists in Microsoft Exchange Server that could allow an attacker to run arbitrary code on the server. This issue arises when the software fails to properly handle requests. Exploitation of this vulnerability enables a malicious actor to execute commands with the same privileges as the Exchange Server service user, potentially compromising sensitive data and disrupting service. Organizations using affected versions of Microsoft Exchange Server are advised to review their security posture and apply necessary mitigations.

Affected Version(s)

Microsoft Exchange Server 2016 Cumulative Update 23 x64-based Systems 15.01.0 < 15.01.2507.032

Microsoft Exchange Server 2019 Cumulative Update 12 x64-based Systems 15.02.0 < 15.02.1118.037

Microsoft Exchange Server 2019 Cumulative Update 13 x64-based Systems 15.02.0 < 15.02.1258.025

References

https://msrc.microsoft.com/update-guide/vulnerability/CVE...

vendor-advisory

CVSS V3.1

Score:

8.8

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Adjacent Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Aug 8, 2023
Vulnerability Reserved
Jun 14, 2023