CVE-2020-17144
published 2020-12-10CVE-2020-17144: Microsoft Exchange Remote Code Execution Vulnerability
PriorityP188high8.8CVSS 3.1
AVNACLPRLUINSUCHIHAH
KEVITWEXPLOITInitial access
CISA Known Exploited Vulnerabilitydue 2022-05-03
Exploited in the wild
EPSS
36.51%
98.3th percentile
Microsoft Exchange Remote Code Execution Vulnerability
Affected
25 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| microsoft | exchange_server | — | — |
| microsoft | microsoft_exchange_server_2010_service_pack_3_update_rollup_31 | < publication | publication |
| msrc | microsoft_exchange_server_2010_service_pack_3 | — | — |
| msrc | microsoft_exchange_server_2010_service_pack_3_update_rollup_31 | — | — |
| msrc | microsoft_exchange_server_2013_cumulative_update_21 | — | — |
| msrc | microsoft_exchange_server_2013_cumulative_update_22 | — | — |
| msrc | microsoft_exchange_server_2013_cumulative_update_23 | — | — |
| msrc | microsoft_exchange_server_2013_service_pack_1 | — | — |
| msrc | microsoft_exchange_server_2016_cumulative_update_10 | — | — |
| msrc | microsoft_exchange_server_2016_cumulative_update_11 | — | — |
| msrc | microsoft_exchange_server_2016_cumulative_update_12 | — | — |
| msrc | microsoft_exchange_server_2016_cumulative_update_13 | — | — |
| msrc | microsoft_exchange_server_2016_cumulative_update_14 | — | — |
| msrc | microsoft_exchange_server_2016_cumulative_update_15 | — | — |
| msrc | microsoft_exchange_server_2016_cumulative_update_16 | — | — |
| msrc | microsoft_exchange_server_2016_cumulative_update_17 | — | — |
| msrc | microsoft_exchange_server_2016_cumulative_update_18 | — | — |
| msrc | microsoft_exchange_server_2016_cumulative_update_19 | — | — |
| msrc | microsoft_exchange_server_2016_cumulative_update_8 | — | — |
| msrc | microsoft_exchange_server_2016_cumulative_update_9 | — | — |
| msrc | microsoft_exchange_server_2019 | — | — |
| msrc | microsoft_exchange_server_2019_cumulative_update_1 | — | — |
| msrc | microsoft_exchange_server_2019_cumulative_update_2 | — | — |
| msrc | microsoft_exchange_server_2019_cumulative_update_3 | — | — |
| msrc | microsoft_exchange_server_2019_cumulative_update_4 | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Vulnerability is triggered via improper validation of cmdlet arguments in Microsoft Exchange Server; monitor for anomalous or malformed cmdlet argument usage against Exchange. ↗
- →Attacker must be authenticated to Exchange Server to exploit; correlate authenticated Exchange sessions with subsequent suspicious RCE indicators. ↗
- →Affected software is Microsoft Exchange Server 2010 Service Pack 3 Update Rollup 31; prioritize detection on this specific version. ↗
- ·Exploitation requires prior authentication to Exchange Server; unauthenticated exploitation is not possible for this CVE. ↗
- ·CISA KEV lists this as actively exploited in the wild; treat as high-priority for detection and patching. ↗
CVSS provenance
nvdv3.18.8HIGHCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
nvdv2.06.0MEDIUMAV:N/AC:M/Au:S/C:P/I:P/A:P
vulncheck8.4HIGH
cisa8.8HIGH
vendor_msrc9.1CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-vqv9-x245-gqwv: , aka 'Microsoft Exchange Remote Code Execution Vulnerability'
ghsa_unreviewed·2022-05-24·CVSS 6.6
CVE-2020-17132 [MEDIUM] CWE-94 GHSA-vqv9-x245-gqwv: , aka 'Microsoft Exchange Remote Code Execution Vulnerability'
, aka 'Microsoft Exchange Remote Code Execution Vulnerability'. This CVE ID is unique from CVE-2020-17117, CVE-2020-17141, CVE-2020-17142, CVE-2020-17144.
GHSA
GHSA-5rwf-4w32-44c4: , aka 'Microsoft Exchange Remote Code Execution Vulnerability'
ghsa_unreviewed·2022-05-24·CVSS 6.6
CVE-2020-17141 [MEDIUM] CWE-94 GHSA-5rwf-4w32-44c4: , aka 'Microsoft Exchange Remote Code Execution Vulnerability'
, aka 'Microsoft Exchange Remote Code Execution Vulnerability'. This CVE ID is unique from CVE-2020-17117, CVE-2020-17132, CVE-2020-17142, CVE-2020-17144.
GHSA
GHSA-wv8q-jq9m-rpq3: , aka 'Microsoft Exchange Remote Code Execution Vulnerability'
ghsa_unreviewed·2022-05-24·CVSS 6.6
CVE-2020-17142 [MEDIUM] CWE-94 GHSA-wv8q-jq9m-rpq3: , aka 'Microsoft Exchange Remote Code Execution Vulnerability'
, aka 'Microsoft Exchange Remote Code Execution Vulnerability'. This CVE ID is unique from CVE-2020-17117, CVE-2020-17132, CVE-2020-17141, CVE-2020-17144.
GHSA
GHSA-68q4-hg7f-7p9c: , aka 'Microsoft Exchange Remote Code Execution Vulnerability'
ghsa_unreviewed·2022-05-24·CVSS 6.6
CVE-2020-17144 [MEDIUM] CWE-502 GHSA-68q4-hg7f-7p9c: , aka 'Microsoft Exchange Remote Code Execution Vulnerability'
, aka 'Microsoft Exchange Remote Code Execution Vulnerability'. This CVE ID is unique from CVE-2020-17117, CVE-2020-17132, CVE-2020-17141, CVE-2020-17142.
GHSA
GHSA-h8vr-6vfm-c62r: , aka 'Microsoft Exchange Remote Code Execution Vulnerability'
ghsa_unreviewed·2022-05-24·CVSS 9.1
CVE-2020-17117 [CRITICAL] GHSA-h8vr-6vfm-c62r: , aka 'Microsoft Exchange Remote Code Execution Vulnerability'
, aka 'Microsoft Exchange Remote Code Execution Vulnerability'. This CVE ID is unique from CVE-2020-17132, CVE-2020-17141, CVE-2020-17142, CVE-2020-17144.
VulnCheck
Microsoft Exchange Server Remote Code Execution Vulnerability
vulncheck·2020·CVSS 8.4
CVE-2020-17144 [HIGH] CWE-502 Microsoft Exchange Server Remote Code Execution Vulnerability
Microsoft Exchange Server Remote Code Execution Vulnerability
Microsoft Exchange Server improperly validates cmdlet arguments which allow an attacker to perform remote code execution.
Affected: Microsoft Exchange Server
Required Action: Apply updates per vendor instructions.
Exploitation References: https://www.cisa.gov/sites/default/files/feeds/known_exploited_vulnerabilities.json; https://cisa.gov/news-events/cybersecurity-advisories/aa22-047a; https://www.cert.ssi.gouv.fr/uploads/CERTFR-2023-CTI-009.pdf
Exploit PoC: https://vulncheck.com/xdb/3c6c5d3ca673; https://vulncheck.com/xdb/bbc21fba2ce0; https://vulncheck.com/xdb/78f51572c784; https://vulncheck.com/xdb/72b878cc1c22; https://vulncheck.com/xdb/bf12a0733fb9
Remediation Due: 2022-05-03
CISA
Microsoft Exchange Server Remote Code Execution Vulnerability
cisa·2021-11-03·CVSS 8.8
CVE-2020-17144 [HIGH] CWE-502 Microsoft Exchange Server Remote Code Execution Vulnerability
Vulnerability: Microsoft Exchange Server Remote Code Execution Vulnerability
Affected: Microsoft Exchange Server
Microsoft Exchange Server improperly validates cmdlet arguments which allow an attacker to perform remote code execution.
Required Action: Apply updates per vendor instructions.
Notes: https://nvd.nist.gov/vuln/detail/CVE-2020-17144
Remediation Due Date: 2022-05-03
Microsoft
Microsoft Exchange Server Remote Code Execution Vulnerability
vendor_msrc·2021-03-09·CVSS 7.8
CVE-2021-26857 [CRITICAL] Microsoft Exchange Server Remote Code Execution Vulnerability
Microsoft Exchange Server Remote Code Execution Vulnerability
FAQ: Is this vulnerability being used in an active attack?
Yes. The vulnerability described in this CVE is one of four vulnerabilities that are being exploited in an active attack. The security updates address this attack. More information can be found here: https://msrc-blog.microsoft.com/2021/03/02/multiple-security-updates-released-for-exchange-server.
What is the target for this attack?
The initial attack in this attack chain targets an Exchange On-prem server that is able to receive untrusted connections from an external source. In addition, the Exchange server would need to be running Microsoft Exchange Server 2013, 2016, or 2019.
Where can I get more information about how to protect myself from the vulnerabilities?
Pleas
Microsoft
Microsoft Exchange Server Remote Code Execution Vulnerability
vendor_msrc·2021-03-09·CVSS 9.1
CVE-2021-26855 [CRITICAL] Microsoft Exchange Server Remote Code Execution Vulnerability
Microsoft Exchange Server Remote Code Execution Vulnerability
FAQ: Is this vulnerability being used in an active attack?
Yes. The vulnerability described in this CVE is one of four vulnerabilities that are being exploited in an active attack. The security updates address this attack. More information can be found here: https://msrc-blog.microsoft.com/2021/03/02/multiple-security-updates-released-for-exchange-server.
What is the target for this attack?
The initial attack in this attack chain targets an Exchange On-prem server that is able to receive untrusted connections from an external source. In addition, the Exchange server would need to be running Microsoft Exchange Server 2013, 2016, or 2019.
Where can I get more information about how to protect myself from the vulnerabilities?
Pleas
Microsoft
Microsoft Exchange Server Remote Code Execution Vulnerability
vendor_msrc·2021-03-09·CVSS 7.8
CVE-2021-27065 [CRITICAL] Microsoft Exchange Server Remote Code Execution Vulnerability
Microsoft Exchange Server Remote Code Execution Vulnerability
FAQ: Is this vulnerability being used in an active attack?
Yes. The vulnerability described in this CVE is one of four vulnerabilities that are being exploited in an active attack. The security updates address this attack. More information can be found here: https://msrc-blog.microsoft.com/2021/03/02/multiple-security-updates-released-for-exchange-server.
What is the target for this attack?
The initial attack in this attack chain targets an Exchange On-prem server that is able to receive untrusted connections from an external source. In addition, the Exchange server would need to be running Microsoft Exchange Server 2013, 2016, or 2019.
Where can I get more information about how to protect myself from the vulnerabilities?
Pleas
Microsoft
Microsoft Exchange Server Remote Code Execution Vulnerability
vendor_msrc·2021-03-09·CVSS 7.8
CVE-2021-26858 [CRITICAL] Microsoft Exchange Server Remote Code Execution Vulnerability
Microsoft Exchange Server Remote Code Execution Vulnerability
FAQ: Is this vulnerability being used in an active attack?
Yes. The vulnerability described in this CVE is one of four vulnerabilities that are being exploited in an active attack. The security updates address this attack. More information can be found here: https://msrc-blog.microsoft.com/2021/03/02/multiple-security-updates-released-for-exchange-server.
What is the target for this attack?
The initial attack in this attack chain targets an Exchange On-prem server that is able to receive untrusted connections from an external source. In addition, the Exchange server would need to be running Microsoft Exchange Server 2013, 2016, or 2019.
Where can I get more information about how to protect myself from the vulnerabilities?
Pleas
Microsoft
Microsoft Exchange Remote Code Execution Vulnerability
vendor_msrc·2020-12-08·CVSS 8.4
CVE-2020-17144 [HIGH] Microsoft Exchange Remote Code Execution Vulnerability
Microsoft Exchange Remote Code Execution Vulnerability
FAQ: What can cause this vulnerability?
The vulnerability occurs due to improper validation of cmdlet arguments.
Does the attacker need to be in an authenticated role in the Exchange Server?
Yes, the attacker must be authenticated.
Microsoft Exchange Server: Microsoft Exchange Server
Microsoft: Microsoft
Customer Action Required: Yes
Impact: Remote Code Execution
Exploit Status: Publicly Disclosed:No;Exploited:No;Latest Software Release:Exploitation More Likely;Older Software Release:Exploitation More Likely
Reference: https://www.microsoft.com/download/details.aspx?familyid=565a516b-f84f-4aff-ba8c-1c57c378b418
Reference: https://support.microsoft.com/help/4593467
No detection rules found.
No public exploits indexed.
Tenable
Government Advisories Warn of APT Activity Resulting from Russian Invasion of Ukraine
blogs_tenable·2022-02-24
Government Advisories Warn of APT Activity Resulting from Russian Invasion of Ukraine
## Cloud Exposure
Tenable Cloud Security (CNAPP) Request a demo
Tenable Cloud Vulnerability Management Request a demo
Tenable CIEM Request a demo
Secure your cloud
## Vulnerability Exposure
Tenable Vulnerability Management Try for free
Tenable Security Center Request a demo
Tenable Web App Scanning Try for free
Tenable Patch Management Request a demo
Tenable Enclave Security Request a demo
Tenable Attack Surface Management Request a demo
Tenable Nessus Try for free
## AI Exposure
Tenable AI Exposure Request a demo
## OT/IoT Exposure
Tenable OT Security Request a demo
## Identity Exposure
Tenable Identity Exposure Request a demo
## Business needs
Active Directory
AI Security Posture Management (AI-SPM)
AWS security
Azure security
Cloud Security Posture Man
Qualys
Managing CISA Known Exploited Vulnerabilities with Qualys VMDR | Qualys
blogs_qualys·2022-02-23
Managing CISA Known Exploited Vulnerabilities with Qualys VMDR | Qualys
#### Table of Contents
- Situation
- Directive Scope
- CISA Catalog of Known Exploited Vulnerabilities
- Detect CISA Vulnerabilities Using Qualys VMDR
- CISA Exploited RTI
- Detailed Operational Dashboard
- Remediation
- Federal Enterprises and Agencies Can Act Now
- Summary
- Getting Started
CISA released a directive in November 2021, recommending urgent and prioritized remediation of actively exploited vulnerabilities. Both government agencies and corporations should heed this advice. This blog outlines how Qualys Vulnerability Management, Detection & Response can be used by any organization to respond to this directive efficiently and effectively.
## Situation
Last November 2021, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) released a Binding Operational Directiv
Checkpoint
21st February– Threat Intelligence Report
blogs_checkpoint·2022-02-21·CVSS 9.8
CVE-2018-13379 [CRITICAL] 21st February– Threat Intelligence Report
Latest Publications
CPR Podcast Channel
AI Research
Web 3.0 Security
Intelligence Reports
ThreatCloud AI
Threat Intelligence & Research
Zero Day Protection
Sandblast File Analysis
About Us
SUBSCRIBE
2026
2025
2024
2023
2022
2021
2020
2019
2018
2017
2016
## 21st February– Threat Intelligence Report
For the latest discoveries in cyber research for the week of 21st February, please download our Threat Intelligence Bulletin .
Top Attacks and Breaches
Check Point Research has investigated the attack against Iranian broadcasting that occurred in late January. CPR was able to discover part of the tools that were utilized in this operation, including the evidence of the usage of a destructive wiper malware.
Check Point Research has discovered a new implementation of the
Checkpoint
14th December – Threat Intelligence Bulletin
blogs_checkpoint·2020-12-14
CVE-2020-1971 14th December – Threat Intelligence Bulletin
Latest Publications
CPR Podcast Channel
AI Research
Web 3.0 Security
Intelligence Reports
ThreatCloud AI
Threat Intelligence & Research
Zero Day Protection
Sandblast File Analysis
About Us
SUBSCRIBE
2026
2025
2024
2023
2022
2021
2020
2019
2018
2017
2016
## 14th December – Threat Intelligence Bulletin
For the latest discoveries in cyber research for the week of 14th December, please download our Threat Intelligence Bulletin .
Top Attacks and Breaches
The US Treasury Department and US Department of Commerce were victims of a cyberattack compromising their internal email traffic. Perhaps related , SolarWinds IT management software has been exploited in a supply chain attack, adding malicious code to its software updates released between March and June 2020.
Habana
Trendmicro
December Patch Tuesday Fixes Exchange, SMB
blogs_trendmicro·2020-12-09·CVSS 6.6
[MEDIUM] December Patch Tuesday Fixes Exchange, SMB
# December Patch Tuesday Fixes Exchange, SMB
The last set of updates for the year includes 58 patches for the Microsoft Office suite.
By: Trend Micro
2020/12/09
Read time: ( words)
Save to Folio
Updated on 12/9/2020 02:37PM PST to include Trend Micro Deep Security and Vulnerability Protection rules.
The last set of updates for the year includes 58 patches for the Microsoft Office suite. Of the total number, nine have been rated Critical and 46 as Important. A significant number of updates fixes gaps in MS Exchange vulnerable to remote code execution (RCE) and information disclosure, as well as a server message block (SMB) gap also noted for the latter vulnerability. No zero days have been observed, though several vulnerabilities have been deemed as likely for abuse. Six of the total
Tenable
Microsoft’s December 2020 Patch Tuesday Addresses 58 CVEs including CVE-2020-25705 (SAD DNS)
blogs_tenable·2020-12-08·CVSS 7.4
[HIGH] Microsoft’s December 2020 Patch Tuesday Addresses 58 CVEs including CVE-2020-25705 (SAD DNS)
## Cloud Exposure
Tenable Cloud Security (CNAPP) Request a demo
Tenable Cloud Vulnerability Management Request a demo
Tenable CIEM Request a demo
Secure your cloud
## Vulnerability Exposure
Tenable Vulnerability Management Try for free
Tenable Security Center Request a demo
Tenable Web App Scanning Try for free
Tenable Patch Management Request a demo
Tenable Enclave Security Request a demo
Tenable Attack Surface Management Request a demo
Tenable Nessus Try for free
## AI Exposure
Tenable AI Exposure Request a demo
## OT/IoT Exposure
Tenable OT Security Request a demo
## Identity Exposure
Tenable Identity Exposure Request a demo
## Business needs
Active Directory
AI Security Posture Management (AI-SPM)
AWS security
Azure security
Cloud Security Posture Man
Qualys
December 2020 Patch Tuesday – 58 Vulnerabilities, 9 Critical, Windows Exchange, Hyper-V, SharePoint, Adobe
blogs_qualys·2020-12-08·CVSS 8.5
[HIGH] December 2020 Patch Tuesday – 58 Vulnerabilities, 9 Critical, Windows Exchange, Hyper-V, SharePoint, Adobe
This month’s Microsoft Patch Tuesday addresses 58 vulnerabilities with 9 of them labeled as Critical. The 9 Critical vulnerabilities cover Exchange, SharePoint, Hyper-V, Chakra Scripting, and several other workstation vulnerabilities. Adobe released patches today for Experience Manager, Prelude, Lightroom and pre-notification security advisory for Acrobat and Reader .
## Workstation Patches
Today’s Patch Tuesday fixes vulnerabilities that would impact workstations. The Office, Edge, Chakra vulnerabilities should be prioritized for workstation-type devices, meaning any system that is used for email or to access the internet via a browser. This includes multi-user servers that are used as remote desktops for users.
## Microsoft Exchange RCE
Microsoft patched five Remote Code Execution vu
Qualys
December 2020 Patch Tuesday – 58 Vulnerabilities, 9 Critical, Windows Exchange, Hyper-V, SharePoint, Adobe | Qualys
blogs_qualys·2020-12-08·CVSS 8.5
[HIGH] December 2020 Patch Tuesday – 58 Vulnerabilities, 9 Critical, Windows Exchange, Hyper-V, SharePoint, Adobe | Qualys
This month’s Microsoft Patch Tuesday addresses 58 vulnerabilities with 9 of them labeled as Critical. The 9 Critical vulnerabilities cover Exchange, SharePoint, Hyper-V, Chakra Scripting, and several other workstation vulnerabilities. Adobe released patches today for Experience Manager, Prelude, Lightroom and pre-notification security advisory for Acrobat and Reader.
### Workstation Patches
Today’s Patch Tuesday fixes vulnerabilities that would impact workstations. The Office, Edge, Chakra vulnerabilities should be prioritized for workstation-type devices, meaning any system that is used for email or to access the internet via a browser. This includes multi-user servers that are used as remote desktops for users.
### Microsoft Exchange RCE
Microsoft patched five Remote Code Execution v
Zscaler
Zscaler protects against 2 new vulnerabilities for MS-Window
blogs_zscaler·CVSS 8.4
[HIGH] Zscaler protects against 2 new vulnerabilities for MS-Window
Provide users with seamless, secure, reliable access to applications and data.
Build and run secure cloud apps, enable zero trust cloud connectivity, and protect workloads from data center to cloud.
Provide zero trust connectivity for IoT and OT devices and secure remote access to OT systems.
Provide zero trust site-to-site connectivity and reliable access to B2B apps for partners.
Industry Report
Zscaler: A Leader in the 2025 Gartner® Magic Quadrant™ for Security Service Edge (SSE)
USE CASES
INDUSTRY & MARKET SOLUTIONS
PARTNERS
TECHNOLOGY PARTNERS
Resource Center
Events & Trainings
Security Research & Services
Tools
Community & Support
CXO REVOLUTIONARIES
Amplifying the voices of real-world digital and zero trust pioneers
Discover how it began and where it’s going
Meet o
2020-12-10
Published
2021-11-03
Added to CISA KEV
Exploited in the wild