cbcvebase.
CVE-2023-36039
published 2023-11-14

CVE-2023-36039: Microsoft Exchange Server Spoofing Vulnerability Microsoft Exchange Server Spoofing Vulnerability

high8CVSS 3.1
AVAACLPRLUINSUCHIHAH
EPSS
72.99%
99.4th percentile
Microsoft Exchange Server Spoofing Vulnerability Microsoft Exchange Server Spoofing Vulnerability

Affected

6 ranges
VendorProductVersion rangeFixed in
microsoftmicrosoft_exchange_server_2016_cumulative_update_23>= 15.01.0 < 15.01.2507.03515.01.2507.035
microsoftmicrosoft_exchange_server_2019_cumulative_update_12>= 15.02.0 < 15.02.1118.04015.02.1118.040
microsoftmicrosoft_exchange_server_2019_cumulative_update_13>= 15.02.0 < 15.02.1258.02815.02.1258.028
msrcmicrosoft_exchange_server_2016_cumulative_update_23
msrcmicrosoft_exchange_server_2019_cumulative_update_12
msrcmicrosoft_exchange_server_2019_cumulative_update_13

Detection & IOCsextracted from sources · hover to see the quote

command\\\\?\\UNC\\win-attacker\\poc
  • Monitor for PowerShell Remoting sessions to Exchange Server from authenticated low-privileged users, particularly those delivering serialized XML payloads targeting the FederationTrust class (Microsoft.Exchange.Data.Directory.SystemConfiguration.FederationTrust) with an OrgCertificate member set to a UNC path — this is the exploitation vector for CVE-2023-36039 NTLM relaying.
  • Detect deserialization payloads using the ConvertViaNoArgumentConstructor mechanism in Exchange PowerShell Remoting that target the X509Certificate2 single-argument constructor with a UNC path, which triggers an outbound SMB connection enabling NTLM relay.
  • Alert on outbound SMB (port 445) connections originating from the Exchange Server process to external or attacker-controlled hosts, as this is the mechanism by which Net-NTLMv2 hashes are leaked during exploitation.
  • ·Exploitation requires an authenticated attacker with LAN access and valid Exchange user credentials — unauthenticated remote exploitation is not possible.
  • ·The vulnerability exploits the ConvertViaNoArgumentConstructor deserialization mechanism which bypasses Exchange PowerShell's allow-list type control by deserializing disallowed types (e.g., X509Certificate2) as members of allowed types — patching must address member-level type validation.

CVSS provenance

nvdv3.18.0HIGHCVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
cvelistv58.0HIGH
vendor_msrc8.0HIGH
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.