MS Exchange RCE Vulnerability Threat Intelligence Advisory

CloudSEK threat intelligence advisory on MS Exchange RCE vulnerability, dubbed CVE-2020-16875, that allows attackers highest user privileges.
Updated on
April 19, 2023
Published on
February 4, 2021
Subscribe to the latest industry news, threats and resources.
Advisory Type
Vulnerability Intelligence 
Vulnerability Type
Remote Code Execution
Microsoft Exchange Server, On-premise/Cloud
  A Remote Code Execution vulnerability (RCE) in the Microsoft Exchange server impacts Software-as-a-Service (SaaS) providers as well as on-premise instances of Exchange servers. An Exchange server, like any other Microsoft product, supports Powershell and uses the Powershell Remoting interface to expose functionalities to users and administrators. The critical flaw is reportedly present in one of the Powershell commandlet (cmdlet is a lightweight command executed in the Powershell environment) which allows the command provided by the attacker to run on the target server with high privileges. The vulnerable cmdlet is New-DlpPolicy and the class that handles this cmdlet can be found at Microsoft.Exchange.MessagingPolicies.CompliancePrograms.Tasks.NewDlpPolicy without C:\ProgramFiles\Microsoft\ExchangeServer\V15\Bin\Microsoft.Exchange.Management.dll library. The New-DlpPolicy cmdlet lets users create a new DLP policy (data loss prevention) with template data supplied by the user without proper validation in place, allowing malicious users to craft template data with system commands leading to an RCE. This can be exploited via the Exchange Control Panel (ECP) and the PS-Remoting interface. An attack via the ECP can make use of HTTPS, making it easier to craft exploit modules in metasploit, already available in the wild.  


  • Attackers can execute commands (with the highest privilege) on the target system.
  • Corporate email accounts will face the risk of compromise.
  • Compromised email accounts can be used in phishing campaigns.
  • RCE will give the attackers ability to leave backdoors on the servers.
  • Attackers can further the attack deeper into internal networks using the compromised server as a pivot.


  • Patch Bypass - Security researchers were able to bypass the patch meant for CVE-2020-16875. The first patch bypass is dubbed CVE-2020-171324. Later a bypass for 171324 was discovered, and now, a final patch is required  to address the two other bypasses.

Get Global Threat Intelligence on Real Time

Protect your business from cyber threats with real-time global threat intelligence data.. 30-day free and No Commitment Trial.
Schedule a Demo
Real time Threat Intelligence Data
More information and context about Underground Chatter
On-Demand Research Services
Dashboard mockup
Global Threat Intelligence Feed

Protect and proceed with Actionable Intelligence

The Global Cyber Threat Intelligence Feed is an innovative platform that gathers information from various sources to help businesses and organizations stay ahead of potential cyber-attacks. This feed provides real-time updates on cyber threats, including malware, phishing scams, and other forms of cybercrime.
Trusted by 400+ Top organisations