Get in Touch

Get in Touch

Get in Touch

Please get in touch using the form below.

Close form

Home / Threat Intelligence bulletins / Microsoft Exchange zero-day vulnerabilities alert

Target Industry

Indiscriminate, opportunistic targeting.

Overview

Trend Micro’s Zero Day Initiative (ZDI) unveiled four zero-day vulnerabilities within Microsoft Exchange, originally disclosed to Microsoft in early September 2023. These vulnerabilities have the potential to be exploited remotely, leading to arbitrary code execution or the unauthorised disclosure of sensitive data.

Impact

The disclosed vulnerabilities permit authenticated attackers to either execute arbitrary code at the SYSTEM level or to disclose sensitive information from the Exchange servers. Due to the necessity for attacker authentication, these vulnerabilities are rated between 7.1 and 7.5 on the Common Vulnerability Scoring System (CVSS) scale, which denotes a high level of severity but is mitigated by the authentication requirement.

Vulnerability Detection

Microsoft has been informed of these vulnerabilities but has opted to delay immediate patching based on their internal severity assessments. While these issues await patching, it is important to note:

ZDI-23-1578: Might be mitigated for those who have applied Microsoft’s August Security Updates

ZDI-23-1579, ZDI-23-1580, ZDI-23-1581: Exploitation of these issues requires pre-existing access to targeted email credentials.

Affected Products

Microsoft Exchange servers are at risk, particularly if they have not implemented the August Security Updates.

Containment, Mitigations & Remediations

Affected organisations should:

Ensure the installation of Microsoft’s August Security Updates

Employ multi-factor authentication to add a layer of security against compromised credentials

Minimise the Exchange applications’ exposure where possible to reduce the risk window

Strengthen password policies to deter credential theft and unauthorised access.

Indicators of Compromise

As of the release of this bulletin, no Indicators of Compromise (IoCs) related to these vulnerabilities have been identified.

Threat Landscape

Given the critical role Microsoft Exchange plays in operational communications, the disclosed vulnerabilities present a significant risk. Authentication requirements moderate the risk but do not eliminate the potential for these vulnerabilities to be weaponised by determined adversaries.

 Threat Group

To date, these vulnerabilities have not been exploited in the wild nor attributed to any threat actor groups.

Mitre Methodologies

The following Common Weakness Enumeration (CWE) entries are potentially related:

CWE-502: Deserialisation of Untrusted Data

CWE-200: Information Exposure.

Further Information

Quorum Cyber’s Microsoft Patch Tuesday bulletin for August

Microsoft Exchange ChainedSerializationBinder Deserialization of Untrusted Data Remote Code Execution Vulnerability

Microsoft Exchange DownloadDataFromUri Server-Side Request Forgery Information Disclosure Vulnerability

Microsoft Exchange DownloadDataFromOfficeMarketPlace Server-Side Request Forgery Information Disclosure Vulnerability

Microsoft Exchange CreateAttachmentFromUri Server-Side Request Forgery Information Disclosure Vulnerability

An Intelligence Terminology Yardstick to showing the likelihood of events