CVE-2023-21710: Microsoft Exchange Server Remote Code Execution Vulnerability

Overview

Severity

High (CVSS 7.2)

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C

Category

Remote Code Execution

Exploit Status

Not Exploited

Exploitation Likelihood

Less Likely

Patch Tuesday

2023-Feb

Released

2023-02-14

EPSS Score

4.73% (percentile: 89.4%)

FAQ

According to the CVSS metric, the attack vector is network (AV:N), privileges required is high (PR:H) and the user interaction is none (UI:N). How could an attacker exploit this vulnerability? The attacker who successfully exploited this vulnerability could target the server accounts in an arbitrary or remote code execution. As an authenticated admin, the attacker could attempt to trigger malicious code in the context of the server's account through a network call.

Affected Products (3)

Server Software

• Microsoft Exchange Server 2016 Cumulative Update 23
• Microsoft Exchange Server 2019 Cumulative Update 11
• Microsoft Exchange Server 2019 Cumulative Update 12

Security Updates (3)

• 5023038
• 5023038
• 5023038

Acknowledgments

<a href="https://github.com/zcgonvh">zcgonvh</a> with 360 noah lab

Revision History

• 2023-02-14: Information published.