cbcvebase.
CVE-2019-1373
published 2019-11-12

CVE-2019-1373: A remote code execution vulnerability exists in Microsoft Exchange through the deserialization of metadata via PowerShell, aka 'Microsoft Exchange Remote Code…

PriorityP265critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EPSS
18.16%
96.8th percentile
A remote code execution vulnerability exists in Microsoft Exchange through the deserialization of metadata via PowerShell, aka 'Microsoft Exchange Remote Code Execution Vulnerability'.

Affected

30 ranges· showing 25
VendorProductVersion rangeFixed in
microsoftexchange_server
microsoftexchange_server
microsoftexchange_server
microsoftmicrosoft_exchange_server_2013
microsoftmicrosoft_exchange_server_2016
microsoftmicrosoft_exchange_server_2016_cumulative_update_14
microsoftmicrosoft_exchange_server_2019
microsoftmicrosoft_exchange_server_2019_cumulative_update_3
msrcmicrosoft_exchange_server_2010_service_pack_3
msrcmicrosoft_exchange_server_2013_cumulative_update_21
msrcmicrosoft_exchange_server_2013_cumulative_update_22
msrcmicrosoft_exchange_server_2013_cumulative_update_23
msrcmicrosoft_exchange_server_2013_service_pack_1
msrcmicrosoft_exchange_server_2016_cumulative_update_10
msrcmicrosoft_exchange_server_2016_cumulative_update_11
msrcmicrosoft_exchange_server_2016_cumulative_update_12
msrcmicrosoft_exchange_server_2016_cumulative_update_13
msrcmicrosoft_exchange_server_2016_cumulative_update_14
msrcmicrosoft_exchange_server_2016_cumulative_update_15
msrcmicrosoft_exchange_server_2016_cumulative_update_16
msrcmicrosoft_exchange_server_2016_cumulative_update_17
msrcmicrosoft_exchange_server_2016_cumulative_update_18
msrcmicrosoft_exchange_server_2016_cumulative_update_19
msrcmicrosoft_exchange_server_2016_cumulative_update_8
msrcmicrosoft_exchange_server_2016_cumulative_update_9

Detection & IOCsextracted from sources · hover to see the quote

  • Vulnerability is triggered through deserialization of metadata via PowerShell cmdlets in Microsoft Exchange — monitor for Exchange-related PowerShell cmdlet execution, especially from remote or unexpected users
  • Exploitation requires a user to run cmdlets via PowerShell — alert on PowerShell cmdlet execution in the context of Exchange processes or Exchange management sessions
  • The vulnerability is rooted in improper serialization of Exchange metadata — inspect Exchange PowerShell remoting sessions for anomalous or malformed serialized metadata payloads
  • ·As of the advisory, this vulnerability had NOT been publicly exploited or disclosed with a working public PoC — exploitation likelihood rated 'Less Likely' for both latest and older software releases
  • ·Arbitrary code runs in the context of the logged-in user, not SYSTEM — privilege level of the exploited account determines blast radius

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
vendor_msrc9.8CRITICAL
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.