Get in Touch
Indiscriminate, opportunistic targeting.
Trend Micro’s Zero Day Initiative (ZDI) unveiled four zero-day vulnerabilities within Microsoft Exchange, originally disclosed to Microsoft in early September 2023. These vulnerabilities have the potential to be exploited remotely, leading to arbitrary code execution or the unauthorised disclosure of sensitive data.
The disclosed vulnerabilities permit authenticated attackers to either execute arbitrary code at the SYSTEM level or to disclose sensitive information from the Exchange servers. Due to the necessity for attacker authentication, these vulnerabilities are rated between 7.1 and 7.5 on the Common Vulnerability Scoring System (CVSS) scale, which denotes a high level of severity but is mitigated by the authentication requirement.
Microsoft has been informed of these vulnerabilities but has opted to delay immediate patching based on their internal severity assessments. While these issues await patching, it is important to note:
ZDI-23-1578: Might be mitigated for those who have applied Microsoft’s August Security Updates
ZDI-23-1579, ZDI-23-1580, ZDI-23-1581: Exploitation of these issues requires pre-existing access to targeted email credentials.
Microsoft Exchange servers are at risk, particularly if they have not implemented the August Security Updates.
Containment, Mitigations & Remediations
Affected organisations should:
Ensure the installation of Microsoft’s August Security Updates
Employ multi-factor authentication to add a layer of security against compromised credentials
Minimise the Exchange applications’ exposure where possible to reduce the risk window
Strengthen password policies to deter credential theft and unauthorised access.
Indicators of Compromise
As of the release of this bulletin, no Indicators of Compromise (IoCs) related to these vulnerabilities have been identified.
Given the critical role Microsoft Exchange plays in operational communications, the disclosed vulnerabilities present a significant risk. Authentication requirements moderate the risk but do not eliminate the potential for these vulnerabilities to be weaponised by determined adversaries.
To date, these vulnerabilities have not been exploited in the wild nor attributed to any threat actor groups.
The following Common Weakness Enumeration (CWE) entries are potentially related:
CWE-502: Deserialisation of Untrusted Data
CWE-200: Information Exposure.