CVE-2019-0724
published 2019-03-05CVE-2019-0724: An elevation of privilege vulnerability exists in Microsoft Exchange Server, aka 'Microsoft Exchange Server Elevation of Privilege Vulnerability'. This CVE ID…
PriorityP264high8.1CVSS 3.1
AVNACHPRNUINSUCHIHAH
EXPLOIT
EPSS
23.80%
97.5th percentile
An elevation of privilege vulnerability exists in Microsoft Exchange Server, aka 'Microsoft Exchange Server Elevation of Privilege Vulnerability'. This CVE ID is unique from CVE-2019-0686.
Affected
31 ranges· showing 25
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| microsoft | exchange_server | — | — |
| microsoft | exchange_server | — | — |
| microsoft | exchange_server | — | — |
| microsoft | exchange_server | — | — |
| microsoft | microsoft_exchange_server_2010 | — | — |
| microsoft | microsoft_exchange_server_2013 | — | — |
| microsoft | microsoft_exchange_server_2016 | — | — |
| microsoft | microsoft_exchange_server_2019 | — | — |
| msrc | microsoft_exchange_server_2010_service_pack_3 | — | — |
| msrc | microsoft_exchange_server_2010_service_pack_3_update_rollup_26 | — | — |
| msrc | microsoft_exchange_server_2013_cumulative_update_21 | — | — |
| msrc | microsoft_exchange_server_2013_cumulative_update_22 | — | — |
| msrc | microsoft_exchange_server_2013_cumulative_update_23 | — | — |
| msrc | microsoft_exchange_server_2013_service_pack_1 | — | — |
| msrc | microsoft_exchange_server_2016_cumulative_update_10 | — | — |
| msrc | microsoft_exchange_server_2016_cumulative_update_11 | — | — |
| msrc | microsoft_exchange_server_2016_cumulative_update_12 | — | — |
| msrc | microsoft_exchange_server_2016_cumulative_update_13 | — | — |
| msrc | microsoft_exchange_server_2016_cumulative_update_14 | — | — |
| msrc | microsoft_exchange_server_2016_cumulative_update_15 | — | — |
| msrc | microsoft_exchange_server_2016_cumulative_update_16 | — | — |
| msrc | microsoft_exchange_server_2016_cumulative_update_17 | — | — |
| msrc | microsoft_exchange_server_2016_cumulative_update_18 | — | — |
| msrc | microsoft_exchange_server_2016_cumulative_update_19 | — | — |
| msrc | microsoft_exchange_server_2016_cumulative_update_8 | — | — |
Detection & IOCsextracted from sources · hover to see the quote
urlhttps://github.com/rapid7/metasploit-framework/blob/master/modules/auxiliary/scanner/http/exchange_web_server_pushsubscription.rb↗
commandNew-ThrottlingPolicy -Name AllUsersEWSSubscriptionBlockPolicy -EwsMaxSubscriptions 0 -ThrottlingPolicyScope Organization↗
- →Monitor for Exchange PushSubscription (EWS Push Notifications) triggering outbound HTTP authentication requests from the Exchange server to arbitrary attacker-controlled URLs — this is the core exploitation mechanism. ↗
- →Detect NTLM relay attacks originating from the Exchange server's computer account toward Domain Controllers, particularly over LDAP/LDAPS — indicative of PrivExchange exploitation. ↗
- →Alert on Exchange servers initiating outbound connections to workstations on arbitrary ports, which may indicate an attacker is relaying Exchange computer account credentials. ↗
- →Audit Exchange Web Services (EWS) push subscription creation events — exploitation requires EWS and Push Notifications to be enabled; unexpected subscription creation by low-privilege users is suspicious. ↗
- →Detect use of the Metasploit auxiliary module 'scanner/http/exchange_web_server_pushsubscription' against Exchange servers via network or endpoint telemetry. ↗
- ·The workaround (setting EwsMaxSubscriptions to 0) will break legitimate applications that rely on EWS push notifications, including Outlook for Mac, Skype for Business, iOS native mail clients, and third-party LOB applications. Remove the policy after applying the patch. ↗
- ·Enabling Extended Protection for Authentication should only be applied to Exchange front-end IIS endpoints, NOT the Exchange Back End — applying it to the back end will break Exchange functionality. ↗
- ·This vulnerability only affects on-premises deployments of Microsoft Exchange; cloud/hosted Exchange is not impacted. ↗
CVSS provenance
nvdv3.18.1HIGHCVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.09.3CRITICALAV:N/AC:M/Au:N/C:C/I:C/A:C
vendor_msrc9.1CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-r53v-h866-83xq: An elevation of privilege vulnerability exists in Microsoft Exchange Server, aka 'Microsoft Exchange Server Elevation of Privilege Vulnerability'
ghsa_unreviewed·2022-05-13·CVSS 7.4
CVE-2019-0724 [HIGH] GHSA-r53v-h866-83xq: An elevation of privilege vulnerability exists in Microsoft Exchange Server, aka 'Microsoft Exchange Server Elevation of Privilege Vulnerability'
An elevation of privilege vulnerability exists in Microsoft Exchange Server, aka 'Microsoft Exchange Server Elevation of Privilege Vulnerability'. This CVE ID is unique from CVE-2019-0686.
GHSA
GHSA-95f3-h5c9-7w6c: An elevation of privilege vulnerability exists in Microsoft Exchange Server, aka 'Microsoft Exchange Server Elevation of Privilege Vulnerability'
ghsa_unreviewed·2022-05-13·CVSS 8.1
CVE-2019-0686 [HIGH] GHSA-95f3-h5c9-7w6c: An elevation of privilege vulnerability exists in Microsoft Exchange Server, aka 'Microsoft Exchange Server Elevation of Privilege Vulnerability'
An elevation of privilege vulnerability exists in Microsoft Exchange Server, aka 'Microsoft Exchange Server Elevation of Privilege Vulnerability'. This CVE ID is unique from CVE-2019-0724.
Microsoft
Microsoft Exchange Server Remote Code Execution Vulnerability
vendor_msrc·2021-03-09·CVSS 7.8
CVE-2021-26857 [CRITICAL] Microsoft Exchange Server Remote Code Execution Vulnerability
Microsoft Exchange Server Remote Code Execution Vulnerability
FAQ: Is this vulnerability being used in an active attack?
Yes. The vulnerability described in this CVE is one of four vulnerabilities that are being exploited in an active attack. The security updates address this attack. More information can be found here: https://msrc-blog.microsoft.com/2021/03/02/multiple-security-updates-released-for-exchange-server.
What is the target for this attack?
The initial attack in this attack chain targets an Exchange On-prem server that is able to receive untrusted connections from an external source. In addition, the Exchange server would need to be running Microsoft Exchange Server 2013, 2016, or 2019.
Where can I get more information about how to protect myself from the vulnerabilities?
Pleas
Microsoft
Microsoft Exchange Server Remote Code Execution Vulnerability
vendor_msrc·2021-03-09·CVSS 9.1
CVE-2021-26855 [CRITICAL] Microsoft Exchange Server Remote Code Execution Vulnerability
Microsoft Exchange Server Remote Code Execution Vulnerability
FAQ: Is this vulnerability being used in an active attack?
Yes. The vulnerability described in this CVE is one of four vulnerabilities that are being exploited in an active attack. The security updates address this attack. More information can be found here: https://msrc-blog.microsoft.com/2021/03/02/multiple-security-updates-released-for-exchange-server.
What is the target for this attack?
The initial attack in this attack chain targets an Exchange On-prem server that is able to receive untrusted connections from an external source. In addition, the Exchange server would need to be running Microsoft Exchange Server 2013, 2016, or 2019.
Where can I get more information about how to protect myself from the vulnerabilities?
Pleas
Microsoft
Microsoft Exchange Server Remote Code Execution Vulnerability
vendor_msrc·2021-03-09·CVSS 7.8
CVE-2021-27065 [CRITICAL] Microsoft Exchange Server Remote Code Execution Vulnerability
Microsoft Exchange Server Remote Code Execution Vulnerability
FAQ: Is this vulnerability being used in an active attack?
Yes. The vulnerability described in this CVE is one of four vulnerabilities that are being exploited in an active attack. The security updates address this attack. More information can be found here: https://msrc-blog.microsoft.com/2021/03/02/multiple-security-updates-released-for-exchange-server.
What is the target for this attack?
The initial attack in this attack chain targets an Exchange On-prem server that is able to receive untrusted connections from an external source. In addition, the Exchange server would need to be running Microsoft Exchange Server 2013, 2016, or 2019.
Where can I get more information about how to protect myself from the vulnerabilities?
Pleas
Microsoft
Microsoft Exchange Server Remote Code Execution Vulnerability
vendor_msrc·2021-03-09·CVSS 7.8
CVE-2021-26858 [CRITICAL] Microsoft Exchange Server Remote Code Execution Vulnerability
Microsoft Exchange Server Remote Code Execution Vulnerability
FAQ: Is this vulnerability being used in an active attack?
Yes. The vulnerability described in this CVE is one of four vulnerabilities that are being exploited in an active attack. The security updates address this attack. More information can be found here: https://msrc-blog.microsoft.com/2021/03/02/multiple-security-updates-released-for-exchange-server.
What is the target for this attack?
The initial attack in this attack chain targets an Exchange On-prem server that is able to receive untrusted connections from an external source. In addition, the Exchange server would need to be running Microsoft Exchange Server 2013, 2016, or 2019.
Where can I get more information about how to protect myself from the vulnerabilities?
Pleas
Microsoft
Microsoft Exchange Server Elevation of Privilege Vulnerability
vendor_msrc·2019-02-12·CVSS 7.4
CVE-2019-0686 [HIGH] Microsoft Exchange Server Elevation of Privilege Vulnerability
Microsoft Exchange Server Elevation of Privilege Vulnerability
Description: An elevation of privilege vulnerability exists in Microsoft Exchange Server. An attacker who successfully exploited this vulnerability could gain the same rights as any other user of the Exchange server. This could allow the attacker to perform activities such as accessing the mailboxes of other users.
Exploitation of this vulnerability requires Exchange Web Services (EWS) and Push Notifications to be enabled and in use in an affected environment. To exploit the vulnerability, an attacker would need to execute a man-in-the-middle attack to forward an authentication request to a Microsoft Exchange Server, thereby allowing impersonation of another Exchange user.
To address this vulnerability, Microsoft has changed t
Microsoft
Microsoft Exchange Server Elevation of Privilege Vulnerability
vendor_msrc·2019-02-12·CVSS 7.4
CVE-2019-0724 [HIGH] Microsoft Exchange Server Elevation of Privilege Vulnerability
Microsoft Exchange Server Elevation of Privilege Vulnerability
Description: An elevation of privilege vulnerability exists in Microsoft Exchange Server. An attacker who successfully exploited this vulnerability could gain the same rights as a Domain Administrator.
Exploitation of this vulnerability requires Exchange Web Services (EWS) and Push Notifications to be enabled and in use in an affected environment. To exploit the vulnerability, an attacker would need to execute a man-in-the-middle attack to forward an authentication request to a Microsoft Active Directory domain controller, thereby facilitating gaining of increased privileges on the domain controller.
To address this vulnerability, Microsoft has evaluated the rights granted to Exchange Servers and Exchange Administrators in the
No detection rules found.
Qualys
February 2019 Patch Tuesday – 74 Vulns, 20 Critical, Exchange 0-day, Adobe Vulns
blogs_qualys·2019-02-12·CVSS 8.8
[HIGH] February 2019 Patch Tuesday – 74 Vulns, 20 Critical, Exchange 0-day, Adobe Vulns
This month’s Patch Tuesday is very large, with 74 vulns being addressed of which 20 are labeled as critical. Fifteen of these critical vulns are in the Scripting Engine and browsers, with the remainder being GDI+, SharePoint, and DHCP. Microsoft also issued an Advisory for an Exchange 0-day, along with a patch for one of the two reported vulns. Adobe also released updates for Acrobat/Reader, Flash, Coldfusion, and Creative Cloud.
## Workstation Patches
Browser, Scripting Engine, and GDI+ patches should be prioritized for workstation-type devices, meaning any system that is used for email or to access the internet via a browser. This includes multi-user servers that are used as remote desktops for users.
## Exchange
In late January, a 0-day exploit was announced for Microsoft Exchange.
Qualys
February 2019 Patch Tuesday - 74 Vulns, 20 Critical, Exchange 0-day, Adobe Vulns | Qualys
blogs_qualys·2019-02-12·CVSS 8.8
[HIGH] February 2019 Patch Tuesday - 74 Vulns, 20 Critical, Exchange 0-day, Adobe Vulns | Qualys
This month’s Patch Tuesday is very large, with 74 vulns being addressed of which 20 are labeled as critical. Fifteen of these critical vulns are in the Scripting Engine and browsers, with the remainder being GDI+, SharePoint, and DHCP. Microsoft also issued an Advisory for an Exchange 0-day, along with a patch for one of the two reported vulns. Adobe also released updates for Acrobat/Reader, Flash, Coldfusion, and Creative Cloud.
### Workstation Patches
Browser, Scripting Engine, and GDI+ patches should be prioritized for workstation-type devices, meaning any system that is used for email or to access the internet via a browser. This includes multi-user servers that are used as remote desktops for users.
### Exchange
In late January, a 0-day exploit was announced for Microsoft Exchange
Tenable
Proof-of-Concept Code Gives Standard Microsoft Exchange Users Domain Administrator Privileges (CVE-2019-0724, CVE-2019-0686)
blogs_tenable·2019-01-22·CVSS 7.4
CVE-2019-0724 [HIGH] Proof-of-Concept Code Gives Standard Microsoft Exchange Users Domain Administrator Privileges (CVE-2019-0724, CVE-2019-0686)
Blog / Cyber Exposure Alerts
Subscribe
# Proof-of-Concept Code Gives Standard Microsoft Exchange Users Domain Administrator Privileges (CVE-2019-0724, CVE-2019-0686)
Paul Davis
January 22, 2019
4 Min Read
Publicly released and newly named “PrivExchange” proof-of-concept (POC) privilege escalation code exploits protocol flaws and default configurations to give standard Exchange users Domain Administrator access.
### Background
Update February 12: Microsoft released updates for CVE-2019-0724 and CVE-2019-0686 to address this vulnerability.
Update February 6: Microsoft published a security advisory (ADV190007) that includes a Throttling Policy that will mitigate this vulnerability until a software update. Additionally, they noted that the vulnerability described in the blog post below
Tenable
Proof-of-Concept Code Gives Standard Microsoft Exchange Users Domain Administrator Privileges (CVE-2019-0724, CVE-2019-0686)
blogs_tenable·2019-01-22·CVSS 7.4
[HIGH] Proof-of-Concept Code Gives Standard Microsoft Exchange Users Domain Administrator Privileges (CVE-2019-0724, CVE-2019-0686)
## Cloud Exposure
Tenable Cloud Security (CNAPP) Request a demo
Tenable Cloud Vulnerability Management Request a demo
Tenable CIEM Request a demo
Secure your cloud
## Vulnerability Exposure
Tenable Vulnerability Management Try for free
Tenable Security Center Request a demo
Tenable Web App Scanning Try for free
Tenable Patch Management Request a demo
Tenable Enclave Security Request a demo
Tenable Attack Surface Management Request a demo
Tenable Nessus Try for free
## AI Exposure
Tenable AI Exposure Request a demo
## OT/IoT Exposure
Tenable OT Security Request a demo
## Identity Exposure
Tenable Identity Exposure Request a demo
## Business needs
Active Directory
AI Security Posture Management (AI-SPM)
AWS security
Azure security
Cloud Security Posture Man
2019-03-05
Published