cbcvebase.
CVE-2019-0724
published 2019-03-05

CVE-2019-0724: An elevation of privilege vulnerability exists in Microsoft Exchange Server, aka 'Microsoft Exchange Server Elevation of Privilege Vulnerability'. This CVE ID…

PriorityP264high8.1CVSS 3.1
AVNACHPRNUINSUCHIHAH
EXPLOIT
EPSS
23.80%
97.5th percentile
An elevation of privilege vulnerability exists in Microsoft Exchange Server, aka 'Microsoft Exchange Server Elevation of Privilege Vulnerability'. This CVE ID is unique from CVE-2019-0686.

Affected

31 ranges· showing 25
VendorProductVersion rangeFixed in
microsoftexchange_server
microsoftexchange_server
microsoftexchange_server
microsoftexchange_server
microsoftmicrosoft_exchange_server_2010
microsoftmicrosoft_exchange_server_2013
microsoftmicrosoft_exchange_server_2016
microsoftmicrosoft_exchange_server_2019
msrcmicrosoft_exchange_server_2010_service_pack_3
msrcmicrosoft_exchange_server_2010_service_pack_3_update_rollup_26
msrcmicrosoft_exchange_server_2013_cumulative_update_21
msrcmicrosoft_exchange_server_2013_cumulative_update_22
msrcmicrosoft_exchange_server_2013_cumulative_update_23
msrcmicrosoft_exchange_server_2013_service_pack_1
msrcmicrosoft_exchange_server_2016_cumulative_update_10
msrcmicrosoft_exchange_server_2016_cumulative_update_11
msrcmicrosoft_exchange_server_2016_cumulative_update_12
msrcmicrosoft_exchange_server_2016_cumulative_update_13
msrcmicrosoft_exchange_server_2016_cumulative_update_14
msrcmicrosoft_exchange_server_2016_cumulative_update_15
msrcmicrosoft_exchange_server_2016_cumulative_update_16
msrcmicrosoft_exchange_server_2016_cumulative_update_17
msrcmicrosoft_exchange_server_2016_cumulative_update_18
msrcmicrosoft_exchange_server_2016_cumulative_update_19
msrcmicrosoft_exchange_server_2016_cumulative_update_8

Detection & IOCsextracted from sources · hover to see the quote

urlhttps://github.com/rapid7/metasploit-framework/blob/master/modules/auxiliary/scanner/http/exchange_web_server_pushsubscription.rb
commandNew-ThrottlingPolicy -Name AllUsersEWSSubscriptionBlockPolicy -EwsMaxSubscriptions 0 -ThrottlingPolicyScope Organization
commandRemove-ThrottlingPolicy AllUsersEWSSubscriptionBlockPolicy
  • Monitor for Exchange PushSubscription (EWS Push Notifications) triggering outbound HTTP authentication requests from the Exchange server to arbitrary attacker-controlled URLs — this is the core exploitation mechanism.
  • Detect NTLM relay attacks originating from the Exchange server's computer account toward Domain Controllers, particularly over LDAP/LDAPS — indicative of PrivExchange exploitation.
  • Alert on Exchange servers initiating outbound connections to workstations on arbitrary ports, which may indicate an attacker is relaying Exchange computer account credentials.
  • Audit Exchange Web Services (EWS) push subscription creation events — exploitation requires EWS and Push Notifications to be enabled; unexpected subscription creation by low-privilege users is suspicious.
  • Detect use of the Metasploit auxiliary module 'scanner/http/exchange_web_server_pushsubscription' against Exchange servers via network or endpoint telemetry.
  • ·The workaround (setting EwsMaxSubscriptions to 0) will break legitimate applications that rely on EWS push notifications, including Outlook for Mac, Skype for Business, iOS native mail clients, and third-party LOB applications. Remove the policy after applying the patch.
  • ·Enabling Extended Protection for Authentication should only be applied to Exchange front-end IIS endpoints, NOT the Exchange Back End — applying it to the back end will break Exchange functionality.
  • ·This vulnerability only affects on-premises deployments of Microsoft Exchange; cloud/hosted Exchange is not impacted.

CVSS provenance

nvdv3.18.1HIGHCVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.09.3CRITICALAV:N/AC:M/Au:N/C:C/I:C/A:C
vendor_msrc9.1CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.