Microsoft Exchange Server Static Key Flaw Could Lead to Remote Code Execution

On February 11, Microsoft released a patch for a severe vulnerability in Microsoft Exchange Server as part of its monthly Patch Tuesday updates. Initially, Microsoft labeled this a memory corruption vulnerability in Microsoft Exchange. However, Microsoft has since updated the title and description for the flaw.

Vulnerability analysis: CVE-2020-0688 is a static key vulnerability in Microsoft Exchange Control Panel (ECP), a component of the Microsoft Exchange Server. The use of static keys could allow an authenticated attacker with any privilege level to send a specially crafted request to a vulnerable ECP and gain SYSTEM level arbitrary code execution. Microsoft rates this flaw as important but notes that exploitation is more likely, according to its exploitability index.

Researchers have warned that attackers are probing for Microsoft Exchange Servers vulnerable to CVE-2020-0688 and found that many organizations are behind in patching Exchange Servers, leaving them open to attack. Full details of the vulnerability are in the blog post.