According to the CVSS metric, privileges required is low (PR:L). Does the attacker need to be in an authenticated role on the Exchange Server? Yes, the attacker must be authenticated. What privileges could be gained by an attacker who successfully exploited the vulnerability? The attacker would be able to take over the mailboxes of all Exchange users, attackers can send emails, read emails, download attachments. Are there any more actions I need to take to be protected from this vulnerability? Yes. Customers running an affected version of Microsoft Exchange need to enable Extended Protection to be protected from this vulnerability. For more information, see Exchange Server Support for Windows Extended Protection. Is there more information available about this release of Exchange Server? For more information on this issue, please see The Exchange Blog. According to the CVSS metric, user interaction is required (UI:R). What interaction would the user have to do? This vulnerability requires that a user with an affected version of Exchange Server access a malicious server. An attacker would have to host a specially crafted server share or website. An attacker would have no way to force users to visit this specially crafted server share or website, but would have to convince them to visit the server share or website, typically by way of an enticement in an email or chat message.
<a href="https://twitter.com/orange_8361">Orange Tsai (@orange_8361)</a> with <a href="https://devco.re/">DEVCORE</a>, <a href="https://twitter.com/d1iv3">Tianze Ding (@D1iv3)</a> with Tencent Security Xuanwu Lab