CVE-2019-1373
published 2019-11-12CVE-2019-1373: A remote code execution vulnerability exists in Microsoft Exchange through the deserialization of metadata via PowerShell, aka 'Microsoft Exchange Remote Code…
PriorityP265critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EPSS
18.16%
96.8th percentile
A remote code execution vulnerability exists in Microsoft Exchange through the deserialization of metadata via PowerShell, aka 'Microsoft Exchange Remote Code Execution Vulnerability'.
Affected
30 ranges· showing 25
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| microsoft | exchange_server | — | — |
| microsoft | exchange_server | — | — |
| microsoft | exchange_server | — | — |
| microsoft | microsoft_exchange_server_2013 | — | — |
| microsoft | microsoft_exchange_server_2016 | — | — |
| microsoft | microsoft_exchange_server_2016_cumulative_update_14 | — | — |
| microsoft | microsoft_exchange_server_2019 | — | — |
| microsoft | microsoft_exchange_server_2019_cumulative_update_3 | — | — |
| msrc | microsoft_exchange_server_2010_service_pack_3 | — | — |
| msrc | microsoft_exchange_server_2013_cumulative_update_21 | — | — |
| msrc | microsoft_exchange_server_2013_cumulative_update_22 | — | — |
| msrc | microsoft_exchange_server_2013_cumulative_update_23 | — | — |
| msrc | microsoft_exchange_server_2013_service_pack_1 | — | — |
| msrc | microsoft_exchange_server_2016_cumulative_update_10 | — | — |
| msrc | microsoft_exchange_server_2016_cumulative_update_11 | — | — |
| msrc | microsoft_exchange_server_2016_cumulative_update_12 | — | — |
| msrc | microsoft_exchange_server_2016_cumulative_update_13 | — | — |
| msrc | microsoft_exchange_server_2016_cumulative_update_14 | — | — |
| msrc | microsoft_exchange_server_2016_cumulative_update_15 | — | — |
| msrc | microsoft_exchange_server_2016_cumulative_update_16 | — | — |
| msrc | microsoft_exchange_server_2016_cumulative_update_17 | — | — |
| msrc | microsoft_exchange_server_2016_cumulative_update_18 | — | — |
| msrc | microsoft_exchange_server_2016_cumulative_update_19 | — | — |
| msrc | microsoft_exchange_server_2016_cumulative_update_8 | — | — |
| msrc | microsoft_exchange_server_2016_cumulative_update_9 | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Vulnerability is triggered through deserialization of metadata via PowerShell cmdlets in Microsoft Exchange — monitor for Exchange-related PowerShell cmdlet execution, especially from remote or unexpected users ↗
- →Exploitation requires a user to run cmdlets via PowerShell — alert on PowerShell cmdlet execution in the context of Exchange processes or Exchange management sessions ↗
- →The vulnerability is rooted in improper serialization of Exchange metadata — inspect Exchange PowerShell remoting sessions for anomalous or malformed serialized metadata payloads ↗
- ·As of the advisory, this vulnerability had NOT been publicly exploited or disclosed with a working public PoC — exploitation likelihood rated 'Less Likely' for both latest and older software releases ↗
- ·Arbitrary code runs in the context of the logged-in user, not SYSTEM — privilege level of the exploited account determines blast radius ↗
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
vendor_msrc9.8CRITICAL
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Microsoft
Microsoft Exchange Server Remote Code Execution Vulnerability
vendor_msrc·2021-03-09·CVSS 7.8
CVE-2021-26857 [CRITICAL] Microsoft Exchange Server Remote Code Execution Vulnerability
Microsoft Exchange Server Remote Code Execution Vulnerability
FAQ: Is this vulnerability being used in an active attack?
Yes. The vulnerability described in this CVE is one of four vulnerabilities that are being exploited in an active attack. The security updates address this attack. More information can be found here: https://msrc-blog.microsoft.com/2021/03/02/multiple-security-updates-released-for-exchange-server.
What is the target for this attack?
The initial attack in this attack chain targets an Exchange On-prem server that is able to receive untrusted connections from an external source. In addition, the Exchange server would need to be running Microsoft Exchange Server 2013, 2016, or 2019.
Where can I get more information about how to protect myself from the vulnerabilities?
Pleas
Microsoft
Microsoft Exchange Server Remote Code Execution Vulnerability
vendor_msrc·2021-03-09·CVSS 9.1
CVE-2021-26855 [CRITICAL] Microsoft Exchange Server Remote Code Execution Vulnerability
Microsoft Exchange Server Remote Code Execution Vulnerability
FAQ: Is this vulnerability being used in an active attack?
Yes. The vulnerability described in this CVE is one of four vulnerabilities that are being exploited in an active attack. The security updates address this attack. More information can be found here: https://msrc-blog.microsoft.com/2021/03/02/multiple-security-updates-released-for-exchange-server.
What is the target for this attack?
The initial attack in this attack chain targets an Exchange On-prem server that is able to receive untrusted connections from an external source. In addition, the Exchange server would need to be running Microsoft Exchange Server 2013, 2016, or 2019.
Where can I get more information about how to protect myself from the vulnerabilities?
Pleas
Microsoft
Microsoft Exchange Server Remote Code Execution Vulnerability
vendor_msrc·2021-03-09·CVSS 7.8
CVE-2021-27065 [CRITICAL] Microsoft Exchange Server Remote Code Execution Vulnerability
Microsoft Exchange Server Remote Code Execution Vulnerability
FAQ: Is this vulnerability being used in an active attack?
Yes. The vulnerability described in this CVE is one of four vulnerabilities that are being exploited in an active attack. The security updates address this attack. More information can be found here: https://msrc-blog.microsoft.com/2021/03/02/multiple-security-updates-released-for-exchange-server.
What is the target for this attack?
The initial attack in this attack chain targets an Exchange On-prem server that is able to receive untrusted connections from an external source. In addition, the Exchange server would need to be running Microsoft Exchange Server 2013, 2016, or 2019.
Where can I get more information about how to protect myself from the vulnerabilities?
Pleas
Microsoft
Microsoft Exchange Server Remote Code Execution Vulnerability
vendor_msrc·2021-03-09·CVSS 7.8
CVE-2021-26858 [CRITICAL] Microsoft Exchange Server Remote Code Execution Vulnerability
Microsoft Exchange Server Remote Code Execution Vulnerability
FAQ: Is this vulnerability being used in an active attack?
Yes. The vulnerability described in this CVE is one of four vulnerabilities that are being exploited in an active attack. The security updates address this attack. More information can be found here: https://msrc-blog.microsoft.com/2021/03/02/multiple-security-updates-released-for-exchange-server.
What is the target for this attack?
The initial attack in this attack chain targets an Exchange On-prem server that is able to receive untrusted connections from an external source. In addition, the Exchange server would need to be running Microsoft Exchange Server 2013, 2016, or 2019.
Where can I get more information about how to protect myself from the vulnerabilities?
Pleas
Microsoft
Microsoft Exchange Remote Code Execution Vulnerability
vendor_msrc·2019-11-12·CVSS 9.8
CVE-2019-1373 [CRITICAL] Microsoft Exchange Remote Code Execution Vulnerability
Microsoft Exchange Remote Code Execution Vulnerability
Description: A remote code execution vulnerability exists in Microsoft Exchange through the deserialization of metadata via PowerShell. An attacker who successfully exploited the vulnerability could run arbitrary code in the context of the logged in user.
Exploitation of this vulnerability requires that a user run cmdlets via PowerShell.
The security update addresses the vulnerability by correcting how Exchange serializes its metadata.
Microsoft Exchange Server: Microsoft Exchange Server
Impact: Remote Code Execution
Exploit Status: Publicly Disclosed:No;Exploited:No;Latest Software Release:Exploitation Less Likely;Older Software Release:Exploitation Less Likely
Reference: https://www.microsoft.com/download/details.aspx?familyid=e
GHSA
GHSA-24mr-37ph-25xf: A remote code execution vulnerability exists in Microsoft Exchange through the deserialization of metadata via PowerShell, aka 'Microsoft Exchange Rem
ghsa_unreviewed·2022-05-24
CVE-2019-1373 [HIGH] GHSA-24mr-37ph-25xf: A remote code execution vulnerability exists in Microsoft Exchange through the deserialization of metadata via PowerShell, aka 'Microsoft Exchange Rem
A remote code execution vulnerability exists in Microsoft Exchange through the deserialization of metadata via PowerShell, aka 'Microsoft Exchange Remote Code Execution Vulnerability'.
No detection rules found.
No public exploits indexed.
Trendmicro
November Patch Tuesday: 74 Fixes Before Major Update
blogs_trendmicro·2019-11-13·CVSS 9.1
[CRITICAL] November Patch Tuesday: 74 Fixes Before Major Update
Exploits & Vulnerabilities
# November Patch Tuesday: 74 Fixes Before Major Update
November Patch Tuesday holds a total of 74 patches, with 13 classified as Critical for remote code execution (RCE) flaws. The remaining majority were rated as Important and included patches for graphics components and SharePoint, among others.
By: Trend Micro
2019/11/13
Read time: ( words)
Save to Folio
Following the relatively light list from last month, November proved to be a much more eventful month for Microsoft users. The November Patch Tuesday holds more fixes with a total of 74 patches, 13 of which were classified as Critical patches for remote code execution (RCE) vulnerabilities. The remaining majority were rated as Important and included patches for Windows graphics components and Microsoft S
Trendmicro
November Patch Tuesday: 74 Fixes Before Major Update
blogs_trendmicro·2019-11-13·CVSS 9.1
[CRITICAL] November Patch Tuesday: 74 Fixes Before Major Update
# November Patch Tuesday: 74 Fixes Before Major Update
November Patch Tuesday holds a total of 74 patches, with 13 classified as Critical for remote code execution (RCE) flaws. The remaining majority were rated as Important and included patches for graphics components and SharePoint, among others.
By: Trend Micro
Nov 13, 2019
Read time: ( words)
Save to Folio
Following the relatively light list from last month, November proved to be a much more eventful month for Microsoft users. The November Patch Tuesday holds more fixes with a total of 74 patches, 13 of which were classified as Critical patches for remote code execution (RCE) vulnerabilities. The remaining majority were rated as Important and included patches for Windows graphics components and Microsoft SharePoint, among others. T
Qualys
November 2019 Patch Tuesday – 74 vulns, 13 Critical, Actively Attacked IE vuln, Hyper-V escapes, Adobe
blogs_qualys·2019-11-12·CVSS 9.1
[CRITICAL] November 2019 Patch Tuesday – 74 vulns, 13 Critical, Actively Attacked IE vuln, Hyper-V escapes, Adobe
This month’s Microsoft Patch Tuesday addresses 74 vulnerabilities with 13 of them labeled as Critical. Of the 13 Critical vulns, 5 are for browsers and scripting engines. Out of the 8 remaining Critical vulns, 4 are potential hypervisor escapes in Hyper-V, as well as vulnerabilities in Microsoft Exchange, Win32k, Windows Media Foundations, and OpenType. Adobe’s Patch Tuesday was on time this month, and covers 11 vulns spread across Animate, Illustrator, Media Encoder, and Bridge.
UPDATE
There are reports that the CVE-2019-1402 patches are causing issues with all supported versions of Microsoft Access. Microsoft has posted a document on the issue with upcoming fix dates and workarounds.
## Workstation Patches
Scripting Engine, Browser, Win32k, WMF, and OpenType patches should be prioriti
Talos
Microsoft Patch Tuesday — Nov. 2019: Vulnerability disclosures and Snort coverage
blogs_talos·2019-11-12·CVSS 9.1
[CRITICAL] Microsoft Patch Tuesday — Nov. 2019: Vulnerability disclosures and Snort coverage
By Jon Munshaw.
Microsoft released its monthly security update today, disclosing a variety of vulnerabilities in several of its products. The latest Patch Tuesday discloses 75 vulnerabilities, 13 of which are considered "critical," with the rest being deemed "important."
This month’s security update covers security issues in a variety of Microsoft services and software, including the Scripting Engine, the Windows Hyper-V hypervisor, and Win32. Cisco Talos discovered one of these vulnerabilities, CVE-2019-1448 —a remote code execution vulnerability in Microsoft Excel. For more on this bug, read our full Vulnerability Spotlight here. We are also disclosing a remote code execution vulnerability in Microsoft Media Foundation.
Talos also released a new set of SNORTⓇ rules that provide covera
Talos
Microsoft Patch Tuesday — Nov. 2019: Vulnerability disclosures and Snort coverage
blogs_talos·2019-11-12·CVSS 9.1
[CRITICAL] Microsoft Patch Tuesday — Nov. 2019: Vulnerability disclosures and Snort coverage
## Microsoft Patch Tuesday — Nov. 2019: Vulnerability disclosures and Snort coverage
By Jon Munshaw.
Microsoft released its monthly security update today, disclosing a variety of vulnerabilities in several of its products. The latest Patch Tuesday discloses 75 vulnerabilities, 13 of which are considered "critical," with the rest being deemed "important."
This month’s security update covers security issues in a variety of Microsoft services and software, including the Scripting Engine, the Windows Hyper-V hypervisor, and Win32. Cisco Talos discovered one of these vulnerabilities, CVE-2019-1448 —a remote code execution vulnerability in Microsoft Excel. For more on this bug, read our full Vulnerability Spotlight here . We are also disclosing a remote code execution vulnerability in Microso
Qualys
November 2019 Patch Tuesday - 74 vulns, 13 Critical, Actively Attacked IE vuln, Hyper-V escapes, Adobe | Qualys
blogs_qualys·2019-11-12·CVSS 9.1
[CRITICAL] November 2019 Patch Tuesday - 74 vulns, 13 Critical, Actively Attacked IE vuln, Hyper-V escapes, Adobe | Qualys
This month’s Microsoft Patch Tuesday addresses 74 vulnerabilities with 13 of them labeled as Critical. Of the 13 Critical vulns, 5 are for browsers and scripting engines. Out of the 8 remaining Critical vulns, 4 are potential hypervisor escapes in Hyper-V, as well as vulnerabilities in Microsoft Exchange, Win32k, Windows Media Foundations, and OpenType. Adobe’s Patch Tuesday was on time this month, and covers 11 vulns spread across Animate, Illustrator, Media Encoder, and Bridge.
UPDATE
There are reports that the CVE-2019-1402 patches are causing issues with all supported versions of Microsoft Access. Microsoft has posted a document on the issue with upcoming fix dates and workarounds.
### Workstation Patches
Scripting Engine, Browser, Win32k, WMF, and OpenType patches should be priori
2019-11-12
Published