cbcvebase.
CVE-2020-17144
published 2020-12-10

CVE-2020-17144: Microsoft Exchange Remote Code Execution Vulnerability

PriorityP188high8.8CVSS 3.1
AVNACLPRLUINSUCHIHAH
KEVITWEXPLOITInitial access
CISA Known Exploited Vulnerabilitydue 2022-05-03
Exploited in the wild
EPSS
36.51%
98.3th percentile
Microsoft Exchange Remote Code Execution Vulnerability

Affected

25 ranges
VendorProductVersion rangeFixed in
microsoftexchange_server
microsoftmicrosoft_exchange_server_2010_service_pack_3_update_rollup_31< publicationpublication
msrcmicrosoft_exchange_server_2010_service_pack_3
msrcmicrosoft_exchange_server_2010_service_pack_3_update_rollup_31
msrcmicrosoft_exchange_server_2013_cumulative_update_21
msrcmicrosoft_exchange_server_2013_cumulative_update_22
msrcmicrosoft_exchange_server_2013_cumulative_update_23
msrcmicrosoft_exchange_server_2013_service_pack_1
msrcmicrosoft_exchange_server_2016_cumulative_update_10
msrcmicrosoft_exchange_server_2016_cumulative_update_11
msrcmicrosoft_exchange_server_2016_cumulative_update_12
msrcmicrosoft_exchange_server_2016_cumulative_update_13
msrcmicrosoft_exchange_server_2016_cumulative_update_14
msrcmicrosoft_exchange_server_2016_cumulative_update_15
msrcmicrosoft_exchange_server_2016_cumulative_update_16
msrcmicrosoft_exchange_server_2016_cumulative_update_17
msrcmicrosoft_exchange_server_2016_cumulative_update_18
msrcmicrosoft_exchange_server_2016_cumulative_update_19
msrcmicrosoft_exchange_server_2016_cumulative_update_8
msrcmicrosoft_exchange_server_2016_cumulative_update_9
msrcmicrosoft_exchange_server_2019
msrcmicrosoft_exchange_server_2019_cumulative_update_1
msrcmicrosoft_exchange_server_2019_cumulative_update_2
msrcmicrosoft_exchange_server_2019_cumulative_update_3
msrcmicrosoft_exchange_server_2019_cumulative_update_4

Detection & IOCsextracted from sources · hover to see the quote

  • Vulnerability is triggered via improper validation of cmdlet arguments in Microsoft Exchange Server; monitor for anomalous or malformed cmdlet argument usage against Exchange.
  • Attacker must be authenticated to Exchange Server to exploit; correlate authenticated Exchange sessions with subsequent suspicious RCE indicators.
  • Affected software is Microsoft Exchange Server 2010 Service Pack 3 Update Rollup 31; prioritize detection on this specific version.
  • ·Exploitation requires prior authentication to Exchange Server; unauthenticated exploitation is not possible for this CVE.
  • ·CISA KEV lists this as actively exploited in the wild; treat as high-priority for detection and patching.

CVSS provenance

nvdv3.18.8HIGHCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
nvdv2.06.0MEDIUMAV:N/AC:M/Au:S/C:P/I:P/A:P
vulncheck8.4HIGH
cisa8.8HIGH
vendor_msrc9.1CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.