Microsoft Exchange CVE-2020-0688
HIGHSeverity by source
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
5DescriptionCVE.org
A remote code execution vulnerability exists in Microsoft Exchange software when the software fails to properly handle objects in memory, aka 'Microsoft Exchange Memory Corruption Vulnerability'.
AnalysisAI
Microsoft Exchange Server contains a remote code execution vulnerability caused by static cryptographic keys used in the Exchange Control Panel, allowing authenticated attackers to execute code as SYSTEM.
Technical ContextAI
The CWE-287 authentication flaw stems from Exchange using a static validationKey and decryptionKey in web.config for ViewState MAC validation. An authenticated attacker (any mailbox user) can craft a serialized ViewState payload, sign it with the known static key, and send it to ECP for deserialization and code execution as SYSTEM.
Affected ProductsAI
Microsoft Exchange Server (affected versions)
RemediationAI
Apply Microsoft security update. Regenerate Exchange's cryptographic keys. Monitor for anomalous ECP requests. Implement mailbox audit logging.
Same weakness CWE-287 – Improper Authentication
View allShare
External POC / Exploit Code
Leaving vuln.today