cbcvebase.
CVE-2020-0688
published 2020-02-11

CVE-2020-0688: A remote code execution vulnerability exists in Microsoft Exchange software when the software fails to properly handle objects in memory, aka 'Microsoft…

PriorityP195high8.8CVSS 3.1
AVNACLPRLUINSUCHIHAH
KEVITWEXPLOITRansomware
CISA Known Exploited Vulnerabilitydue 2022-05-03
Exploited in the wild
EPSS
99.97%
100.0th percentile
A remote code execution vulnerability exists in Microsoft Exchange software when the software fails to properly handle objects in memory, aka 'Microsoft Exchange Memory Corruption Vulnerability'.

Affected

33 ranges· showing 25
VendorProductVersion rangeFixed in
microsoftexchange_server
microsoftexchange_server
microsoftexchange_server
microsoftexchange_server
microsoftmicrosoft_exchange_server_2010_service_pack_3_update_rollup_30
microsoftmicrosoft_exchange_server_2013
microsoftmicrosoft_exchange_server_2016_cumulative_update_14
microsoftmicrosoft_exchange_server_2016_cumulative_update_15
microsoftmicrosoft_exchange_server_2019_cumulative_update_3
microsoftmicrosoft_exchange_server_2019_cumulative_update_4
msrcmicrosoft_exchange_server_2010_service_pack_3
msrcmicrosoft_exchange_server_2010_service_pack_3_update_rollup_30
msrcmicrosoft_exchange_server_2013_cumulative_update_21
msrcmicrosoft_exchange_server_2013_cumulative_update_22
msrcmicrosoft_exchange_server_2013_cumulative_update_23
msrcmicrosoft_exchange_server_2013_service_pack_1
msrcmicrosoft_exchange_server_2016_cumulative_update_10
msrcmicrosoft_exchange_server_2016_cumulative_update_11
msrcmicrosoft_exchange_server_2016_cumulative_update_12
msrcmicrosoft_exchange_server_2016_cumulative_update_13
msrcmicrosoft_exchange_server_2016_cumulative_update_14
msrcmicrosoft_exchange_server_2016_cumulative_update_15
msrcmicrosoft_exchange_server_2016_cumulative_update_16
msrcmicrosoft_exchange_server_2016_cumulative_update_17
msrcmicrosoft_exchange_server_2016_cumulative_update_18

Detection & IOCsextracted from sources · hover to see the quote

pathC:\Inetpub\Logs\LogFiles\W3SVC1\
path\Inetpub\wwwroot\
path\Program Files\Microsoft\Exchange Server\V15\FrontEnd\HttpProxy\owa\auth
path\Program Files\Microsoft\Exchange Server\V14\ClientAccess\Owa\Auth
urlhttps://<exchange>/ecp/default.aspx?__VIEWSTATEGENERATOR=<value>&__VIEWSTATE=<base64>
path\Program Files\Microsoft\Exchange Server\V15\FrontEnd\HttpProxy\owa\auth\15.1.2044\scripts\premium
filenamepremium.aspx
processw3wp.exe
  • In IIS logs, search for requests to /ecp/default.aspx (or any /ecp/ path) containing __VIEWSTATE= with an unusually long base64 value; base64-decode the __VIEWSTATE blob to reveal attacker commands.
  • Detect post-exploitation by alerting on child processes of w3wp.exe such as PowerShell.exe, net.exe, net1.exe, cmd.exe, ping.exe, nslookup.exe, certutil.exe spawned on Exchange servers.
  • Attackers used ysoserial to generate deserialization payloads; look for ysoserial-characteristic base64 patterns in the __VIEWSTATE parameter of ECP requests.
  • Hunt for .dat files used as executables (e.g., curl.dat, s.dat, mpBD6D42.dat) in user-writable directories; this attack used .dat extensions to masquerade executables.
  • Alert on the expand command being used to extract .ex_ files into .dat or .exe files, a deobfuscation technique observed in this attack.
  • Monitor for Trojan.Win32.PRIVESC.A execution following Exchange exploitation; this trojan requires SeTcbPrivilege and enables arbitrary command execution via Windows session IDs.
  • Detect Chopper ASPX web shell (Backdoor.ASP.WEBSHELL.UWMANA) dropped into Exchange OWA auth directories, particularly files with .aspx extension in paths under FrontEnd\HttpProxy\owa\auth.
  • ·Detection guidance was primarily validated on Exchange 2013 and 2016; log file locations or formats may differ on Exchange 2010 or 2019.
  • ·The ServerException log directory existing is not definitive proof of exploitation; it is a normal ECP error logging directory that may exist on uncompromised servers.
  • ·2FA on ECP may prevent exploitation since the attacker may not be able to acquire the ViewStateKey needed from an authenticated session.

CVSS provenance

nvdv3.18.8HIGHCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
nvdv2.09.0CRITICALAV:N/AC:L/Au:S/C:C/I:C/A:C
vulncheck8.8HIGH
cisa8.8HIGH
vendor_msrc9.1CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.