CVE-2023-21706
published 2023-02-14CVE-2023-21706: Microsoft Exchange Server Remote Code Execution Vulnerability
PriorityP260high8.8CVSS 3.1
AVNACLPRLUINSUCHIHAH
EPSS
4.06%
89.4th percentile
Microsoft Exchange Server Remote Code Execution Vulnerability
Affected
11 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| microsoft | exchange_server | — | — |
| microsoft | exchange_server | — | — |
| microsoft | exchange_server | — | — |
| microsoft | microsoft_exchange_server_2013_cumulative_update_23 | >= 15.00.0 < 15.00.1497.047 | 15.00.1497.047 |
| microsoft | microsoft_exchange_server_2016_cumulative_update_23 | >= 15.01.0 < 15.01.2507.021 | 15.01.2507.021 |
| microsoft | microsoft_exchange_server_2019_cumulative_update_11 | >= 15.02.0 < 15.02.0986.041 | 15.02.0986.041 |
| microsoft | microsoft_exchange_server_2019_cumulative_update_12 | >= 15.02.0 < 15.02.1118.025 | 15.02.1118.025 |
| msrc | microsoft_exchange_server_2013_cumulative_update_23 | — | — |
| msrc | microsoft_exchange_server_2016_cumulative_update_23 | — | — |
| msrc | microsoft_exchange_server_2019_cumulative_update_11 | — | — |
| msrc | microsoft_exchange_server_2019_cumulative_update_12 | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Monitor for authenticated network calls to Exchange Server that attempt to trigger remote code execution in the context of the server account; attacker must be authenticated (low privilege) and attack vector is network with no user interaction required. ↗
- →Watch for SSRF bypass attempts against Exchange web application firewall signatures, as attackers may attempt to bypass SSRF protections (similar to ProxyNotShell CVE-2022-41082) to meet the authentication constraints needed to exploit CVE-2023-21706. ↗
- →Monitor Exchange servers for credential brute-force activity, as attackers may attempt to brute-force Exchange credentials to satisfy the authentication requirement for exploitation. ↗
- →Successful exploitation results in code execution as SYSTEM on the Exchange server; alert on unexpected SYSTEM-level process spawning from Exchange worker processes. ↗
- ·As of the blog publication date, no public proof-of-concept exploit exists for CVE-2023-21706; exploitation is assessed as 'More Likely' by Microsoft but no in-the-wild exploitation confirmed. ↗
- ·Targeted attacks against self-hosted Exchange are expected to be stealthy and direct rather than mass-scanning; defenders should focus on targeted attack detection rather than mass exploitation signatures. ↗
CVSS provenance
nvdv3.18.8HIGHCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
vendor_msrc8.8HIGH
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-8v8w-cp35-xxq5: Microsoft Exchange Server Remote Code Execution Vulnerability
ghsa_unreviewed·2023-02-14
CVE-2023-21706 [HIGH] GHSA-8v8w-cp35-xxq5: Microsoft Exchange Server Remote Code Execution Vulnerability
Microsoft Exchange Server Remote Code Execution Vulnerability
Microsoft
Microsoft Exchange Server Remote Code Execution Vulnerability
vendor_msrc·2023-02-14·CVSS 8.8
CVE-2023-21706 [HIGH] CWE-502 Microsoft Exchange Server Remote Code Execution Vulnerability
Microsoft Exchange Server Remote Code Execution Vulnerability
FAQ: According to the CVSS metric, the attack vector is network (AV:N) and the user interaction is none (UI:N). What is the target used in the context of the remote code execution?
The attacker for this vulnerability could target the server accounts in an arbitrary or remote code execution. As an authenticated user, the attacker could attempt to trigger malicious code in the context of the server's account through a network call.
FAQ: According to the CVSS metric, privileges required is low (PR:L). Does the attacker need to be in an authenticated role on the Exchange Server?
Yes, the attacker must be authenticated.
Microsoft Exchange Server: Microsoft Exchange Server
Microsoft: Microsoft
Customer Action Required: Yes
Impac
No detection rules found.
No public exploits indexed.
Talos
Microsoft Patch Tuesday for February 2023 — Snort rules and prominent vulnerabilities
blogs_talos·2023-02-14·CVSS 9.8
CVE-2023-21823 [CRITICAL] Microsoft Patch Tuesday for February 2023 — Snort rules and prominent vulnerabilities
Microsoft released its monthly security update on Tuesday, disclosing 73 vulnerabilities. Of these vulnerabilities, 8 are classified as “Critical”, 64 are classified as “Important”, one vulnerability is classified as “Moderate.”
According to Microsoft none of the vulnerabilities has been publicly disclosed before Patch Tuesday and only three vulnerabilities were seen in the wild. The most serious one is CVE-2023-21823 a Windows Graphics Component Remote Code Execution Vulnerability. Followed by CVE-2023-21715 a Microsoft Publisher Security Features Bypass Vulnerability which we are describing below and CVE-2023-23376 a local Windows Common Log File System Driver Elevation of Privilege Vulnerability.
Three of the most “Critical“ vulnerabilities, which Microsoft considers to be “more likel
Tenable
Microsoft’s February 2023 Patch Tuesday Addresses 75 CVEs (CVE-2023-23376)
blogs_tenable·2023-02-14·CVSS 7.8
[HIGH] Microsoft’s February 2023 Patch Tuesday Addresses 75 CVEs (CVE-2023-23376)
## Cloud Exposure
Tenable Cloud Security (CNAPP) Request a demo
Tenable Cloud Vulnerability Management Request a demo
Tenable CIEM Request a demo
Secure your cloud
## Vulnerability Exposure
Tenable Vulnerability Management Try for free
Tenable Security Center Request a demo
Tenable Web App Scanning Try for free
Tenable Patch Management Request a demo
Tenable Enclave Security Request a demo
Tenable Attack Surface Management Request a demo
Tenable Nessus Try for free
## AI Exposure
Tenable AI Exposure Request a demo
## OT/IoT Exposure
Tenable OT Security Request a demo
## Identity Exposure
Tenable Identity Exposure Request a demo
## Business needs
Active Directory
AI Security Posture Management (AI-SPM)
AWS security
Azure security
Cloud Security Posture Man
Krebs
Microsoft Patch Tuesday, February 2023 Edition
blogs_krebs·2023-02-14·CVSS 7.3
CVE-2023-23376 [HIGH] Microsoft Patch Tuesday, February 2023 Edition
Microsoft is sending the world a whole bunch of love today, in the form of patches to plug dozens of security holes in its Windows operating systems and other software. This year’s special Valentine’s Day Patch Tuesday includes fixes for a whopping three different “zero-day” vulnerabilities that are already being used in active attacks.
Microsoft’s security advisories are somewhat sparse with details about the zero-day bugs. Redmond flags CVE-2023-23376 as an “Important” elevation of privilege vulnerability in the Windows Common Log File System Driver , which is present in Windows 10 and 11 systems, as well as many server versions of Windows.
“Sadly, there’s just a little solid information about this privilege escalation,” said Dustin Childs , head of threat awareness at Trend Micro’s Ze
Talos
Microsoft Patch Tuesday for February 2023 — Snort rules and prominent vulnerabilities
blogs_talos·2023-02-14·CVSS 9.8
[CRITICAL] Microsoft Patch Tuesday for February 2023 — Snort rules and prominent vulnerabilities
## Microsoft Patch Tuesday for February 2023 — Snort rules and prominent vulnerabilities
Microsoft released its monthly security update on Tuesday, disclosing 73 vulnerabilities. Of these vulnerabilities, 8 are classified as “Critical”, 64 are classified as “Important”, one vulnerability is classified as “Moderate.”
According to Microsoft none of the vulnerabilities has been publicly disclosed before Patch Tuesday and only three vulnerabilities were seen in the wild. The most serious one is CVE-2023-21823 a Windows Graphics Component Remote Code Execution Vulnerability. Followed by CVE-2023-21715 a Microsoft Publisher Security Features Bypass Vulnerability which we are describing below and CVE-2023-23376 a local Windows Common Log File System Driver Elevation of Privilege Vulnerability.
Krebs
Microsoft Patch Tuesday, February 2023 Edition
blogs_krebs·2023-02-14·CVSS 7.3
CVE-2023-23376 [HIGH] Microsoft Patch Tuesday, February 2023 Edition
Microsoft is sending the world a whole bunch of love today, in the form of patches to plug dozens of security holes in its Windows operating systems and other software. This year’s special Valentine’s Day Patch Tuesday includes fixes for a whopping three different “zero-day” vulnerabilities that are already being used in active attacks.
Microsoft’s security advisories are somewhat sparse with details about the zero-day bugs. Redmond flags CVE-2023-23376 as an “Important” elevation of privilege vulnerability in the Windows Common Log File System Driver, which is present in Windows 10 and 11 systems, as well as many server versions of Windows.
“Sadly, there’s just a little solid information about this privilege escalation,” said Dustin Childs, head of threat awareness at Trend Micro’s Zero
Greynoiseio
GreyNoise Analysis Of A Quartet of Exchange Remote Code Execution Vulnerabilities: CVE-2023-21529; CVE-2023-21706; CVE-2023-21707; CVE-2023-21710
blogs_greynoiseio·CVSS 8.8
[HIGH] GreyNoise Analysis Of A Quartet of Exchange Remote Code Execution Vulnerabilities: CVE-2023-21529; CVE-2023-21706; CVE-2023-21707; CVE-2023-21710
CVE Disclosure Early Warning Get an early warning when traffic spikes indicate a high likelihood of new disclosures
Compromised Asset Detection Find out immediately if an asset communicates with a malicious IP address
Vulnerability Prioritization Get real-time insight into active exploitation trends to better understand risk and severity
SOC Efficiency Filter out noisy, low priority and false-positive alerts from mass internet scanners
Incident Investigation Add context to incidents to speed the determinations of scope and timelines
Threat Hunting Quickly identify anomalous behavior and enrich your threat hunting campaigns
Why GreyNoise
CVE Disclosure Early Warning Get an early warning when traffic spikes indicate a high likelihood of new disclosures
Compromised Asset Detection Fin
2023-02-14
Published