⚠ Actively exploited

Added to CISA KEV on 2021-11-03. Federal agencies required to patch by 2022-05-03. Required action: Apply updates per vendor instructions..

CVE-2020-17144 — Deserialization of Untrusted Data in Microsoft Exchange Server 2010 Service Pack 3 Update Rollup 31

CWE-502 — Deserialization of Untrusted Data CWE-94 — Code Injection6 documents6 sources

Severity

8.8HIGHNVD

CNA8.4VulnCheck8.4

EPSS

92.0%

top 0.30%

CISA KEV

KEV

Added 2021-11-03

Due 2022-05-03

Exploit

Exploited in wild

Active exploitation observed

Affected products

Microsoft Exchange Server 2010 Service Pack 3 Update Rollup 31 Microsoft Exchange Server

Timeline

PublishedDec 10

KEV addedNov 3

KEV dueMay 3

Latest updateMay 24

CISA Required Action: Apply updates per vendor instructions.

Description

Microsoft Exchange Remote Code Execution Vulnerability

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:HExploitability: 2.8 | Impact: 5.9

Affected Packages2 packages

▶CVEListV5microsoft/microsoft_exchange_server_2010_service_pack_3_update_rollup_31< publication

▶NVDmicrosoft/exchange_server2010

Patches

Patch: msrc.microsoft.com ↗Patch: portal.msrc.microsoft.com ↗

🔴Vulnerability Details

GHSA

GHSA-68q4-hg7f-7p9c: , aka 'Microsoft Exchange Remote Code Execution Vulnerability'↗2022-05-24

▶

CVEList

Microsoft Exchange Remote Code Execution Vulnerability↗2020-12-09

▶

VulnCheck

Microsoft Exchange Server Remote Code Execution Vulnerability↗2020

▶

📋Vendor Advisories

CISA

Microsoft Exchange Server Remote Code Execution Vulnerability↗2021-11-03

▶

Microsoft

Microsoft Exchange Remote Code Execution Vulnerability↗2020-12-08

▶