MS Exchange RCE Vulnerability Threat Intelligence Advisory

CloudSEK threat intelligence advisory on MS Exchange RCE vulnerability, dubbed CVE-2020-16875, that allows attackers highest user privileges.

Updated on

April 19, 2023

Published on

February 4, 2021

Read MINUTES

Subscribe to the latest industry news, threats and resources.

Table of Contents

This is also a heading
This is a heading

Advisory Type	Vulnerability Intelligence
Vulnerability Type	Remote Code Execution
CVE	CVE-2020-16875
Platform	Microsoft Exchange Server, On-premise/Cloud
CVSS	9.1

A Remote Code Execution vulnerability (RCE) in the Microsoft Exchange server impacts Software-as-a-Service (SaaS) providers as well as on-premise instances of Exchange servers. An Exchange server, like any other Microsoft product, supports Powershell and uses the Powershell Remoting interface to expose functionalities to users and administrators. The critical flaw is reportedly present in one of the Powershell commandlet (cmdlet is a lightweight command executed in the Powershell environment) which allows the command provided by the attacker to run on the target server with high privileges. The vulnerable cmdlet is New-DlpPolicy and the class that handles this cmdlet can be found at Microsoft.Exchange.MessagingPolicies.CompliancePrograms.Tasks.NewDlpPolicy without C:\ProgramFiles\Microsoft\ExchangeServer\V15\Bin\Microsoft.Exchange.Management.dll library. The New-DlpPolicy cmdlet lets users create a new DLP policy (data loss prevention) with template data supplied by the user without proper validation in place, allowing malicious users to craft template data with system commands leading to an RCE. This can be exploited via the Exchange Control Panel (ECP) and the PS-Remoting interface. An attack via the ECP can make use of HTTPS, making it easier to craft exploit modules in metasploit, already available in the wild.

Impact

Attackers can execute commands (with the highest privilege) on the target system.
Corporate email accounts will face the risk of compromise.
Compromised email accounts can be used in phishing campaigns.
RCE will give the attackers ability to leave backdoors on the servers.
Attackers can further the attack deeper into internal networks using the compromised server as a pivot.

Mitigation

Patch Bypass - Security researchers were able to bypass the patch meant for CVE-2020-16875. The first patch bypass is dubbed CVE-2020-171324. Later a bypass for 171324 was discovered, and now, a final patch is required to address the two other bypasses.

https://support.microsoft.com/en-gb/help/4593465/description-of-the-security-update-for-microsoft-exchange-server-2019 https://msrc.microsoft.com/update-guide/vulnerability/CVE-2020-17132

CloudSEK Platform is a no-code platform that powers our products with predictive threat analytic capabilities.

Table of Contents

This is also a heading
This is a heading

Get Global Threat Intelligence on Real Time

Protect your business from cyber threats with real-time global threat intelligence data.. 30-day free and No Commitment Trial.

Schedule a Demo

Real time Threat Intelligence Data

More information and context about Underground Chatter

On-Demand Research Services

Global Threat Intelligence Feed

Protect and proceed with Actionable Intelligence

The Global Cyber Threat Intelligence Feed is an innovative platform that gathers information from various sources to help businesses and organizations stay ahead of potential cyber-attacks. This feed provides real-time updates on cyber threats, including malware, phishing scams, and other forms of cybercrime.

Trusted by 400+ Top organisations

Get started

Learn more

Advisory Type

Vulnerability Type

CVE

Platform

CVSS

Protect and proceed with Actionable Intelligence