cbcvebase.
CVE-2023-21707
published 2023-02-14

CVE-2023-21707: Microsoft Exchange Server Remote Code Execution Vulnerability

PriorityP274high8.8CVSS 3.1
AVNACLPRLUINSUCHIHAH
EPSS
82.02%
99.6th percentile
Microsoft Exchange Server Remote Code Execution Vulnerability

Affected

11 ranges
VendorProductVersion rangeFixed in
microsoftexchange_server
microsoftexchange_server
microsoftexchange_server
microsoftmicrosoft_exchange_server_2013_cumulative_update_23>= 15.00.0 < 15.00.1497.04815.00.1497.048
microsoftmicrosoft_exchange_server_2016_cumulative_update_23>= 15.01.0 < 15.01.2507.02315.01.2507.023
microsoftmicrosoft_exchange_server_2019_cumulative_update_11>= 15.02.0 < 15.02.0986.04215.02.0986.042
microsoftmicrosoft_exchange_server_2019_cumulative_update_12>= 15.02.0 < 15.02.1118.02615.02.1118.026
msrcmicrosoft_exchange_server_2013_cumulative_update_23
msrcmicrosoft_exchange_server_2016_cumulative_update_23
msrcmicrosoft_exchange_server_2019_cumulative_update_11
msrcmicrosoft_exchange_server_2019_cumulative_update_12

Detection & IOCsextracted from sources · hover to see the quote

  • CVE-2023-21707 requires authenticated access (low privilege) to exploit; monitor for Exchange credential brute-force attempts as a precursor to exploitation
  • Monitor for SSRF bypass attempts against Exchange Web Services (EWS) as a mechanism to satisfy the authentication requirement for CVE-2023-21707, consistent with the ProxyNotShell exploitation pattern
  • CVE-2023-21707 exploitation results in code execution as SYSTEM; alert on Exchange worker processes (e.g., w3wp.exe) spawning unexpected child processes
  • Exploitation is triggered via a network call from an authenticated user targeting server-side account context; monitor Exchange network call patterns from low-privilege authenticated accounts for anomalous RCE-indicative behavior
  • ·No public proof-of-concept exploit exists as of the blog publication date; mass exploitation is considered unlikely in the near term but targeted attacks against known Exchange inventories are a concern
  • ·Microsoft re-released the CVE advisory with updated March patches after the February updates caused Exchange Web Services issues; ensure March Exchange Server updates are applied rather than only February updates

CVSS provenance

nvdv3.18.8HIGHCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
vendor_msrc8.8HIGH
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.