CVE-2023-36756
published 2023-09-12CVE-2023-36756: Microsoft Exchange Server Remote Code Execution Vulnerability
PriorityP262high8CVSS 3.1
AVAACLPRLUINSUCHIHAH
EPSS
74.67%
99.4th percentile
Microsoft Exchange Server Remote Code Execution Vulnerability
Affected
8 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| microsoft | exchange_server | — | — |
| microsoft | exchange_server | — | — |
| microsoft | microsoft_exchange_server_2016_cumulative_update_23 | >= 15.01.0 < 15.01.2507.032 | 15.01.2507.032 |
| microsoft | microsoft_exchange_server_2019_cumulative_update_12 | >= 15.02.0 < 15.02.1118.037 | 15.02.1118.037 |
| microsoft | microsoft_exchange_server_2019_cumulative_update_13 | >= 15.02.0 < 15.02.1258.025 | 15.02.1258.025 |
| msrc | microsoft_exchange_server_2016_cumulative_update_23 | — | — |
| msrc | microsoft_exchange_server_2019_cumulative_update_12 | — | — |
| msrc | microsoft_exchange_server_2019_cumulative_update_13 | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Exploitation of CVE-2023-36756 requires an authenticated attacker with LAN access and valid Exchange user credentials making a network call to trigger malicious code in the context of the server's account ↗
- →The attack chain leverages PowerShell Remoting ConvertViaNoArgumentConstructor deserialization; monitor Exchange PowerShell Remoting sessions for serialized XML payloads containing MS tags with nested type members not on the Exchange allow list ↗
- →Monitor for abuse of the FederationTrust class (Microsoft.Exchange.Data.Directory.SystemConfiguration.FederationTrust) via Exchange PowerShell Remoting, specifically deserialization of X509Certificate2 with a UNC/file path argument for NTLM relaying (CVE-2023-36039) ↗
- →Monitor for abuse of TransportConfigContainer (Microsoft.Exchange.Data.Directory.SystemConfiguration.TransportConfigContainer) via Exchange PowerShell Remoting; setter on TransportSystemState triggers XXE via XmlDocument on older .NET Framework (CVE-2023-36050) ↗
- →XamlReader deserialization via PowerShell Remoting member conversion can lead to RCE; detect serialized payloads referencing XamlReader as a member type in Exchange PowerShell Remoting traffic ↗
- ·Exploitation requires authenticated attacker with LAN access and valid Exchange user credentials; not exploitable by unauthenticated or remote-only attackers ↗
- ·The vulnerability is patched by the August 2023 Exchange security updates; systems already running those updates are protected ↗
- ·The XXE vector (CVE-2023-36050) is specific to Exchange running on older .NET Framework versions where XmlDocument is not protected from XXE by default ↗
- ·As of publication, CVE-2023-36756 exploit status is 'Publicly Disclosed: No; Exploited: No' but rated 'Exploitation More Likely' ↗
CVSS provenance
nvdv3.18.0HIGHCVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
vendor_msrc8.0HIGH
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-wp99-xcpc-rj24: Microsoft Exchange Server Remote Code Execution Vulnerability
ghsa_unreviewed·2023-09-12
CVE-2023-36756 [HIGH] GHSA-wp99-xcpc-rj24: Microsoft Exchange Server Remote Code Execution Vulnerability
Microsoft Exchange Server Remote Code Execution Vulnerability
Microsoft
Microsoft Exchange Server Remote Code Execution Vulnerability
vendor_msrc·2023-09-12·CVSS 8.0
CVE-2023-36756 [HIGH] CWE-502 Microsoft Exchange Server Remote Code Execution Vulnerability
Microsoft Exchange Server Remote Code Execution Vulnerability
FAQ: According to the CVSS metric, privileges required is low (PR:L). Does the attacker need to be in an authenticated role on the Exchange Server?
Yes, the attacker must be authenticated with LAN-access and have credentials for a valid Exchange user.
FAQ: How could an attacker exploit this vulnerability?
In a network-based attack, an attacker could trigger malicious code in the context of the server's account through a network call.
FAQ: According to the CVSS metric, successful exploitation of this vulnerability could lead to total loss of confidentiality (C:H), integrity (I:H), and availability (A:H). What does that mean for this vulnerability?
An attacker who successfully exploits this vulnerability could perform a remote
No detection rules found.
No public exploits indexed.
Trendmicro
Exploiting Exchange PowerShell After ProxyNotShell: Part 4
blogs_trendmicro·2024-09-26·CVSS 8.0
[HIGH] Exploiting Exchange PowerShell After ProxyNotShell: Part 4
# Exploiting Exchange PowerShell After ProxyNotShell: Part 4 – No Argument Constructor
Lean about how exploiting exchange Powershell after Proxynotshell in part-4.
By: Zero Day Initiative
2024/09/26
Read time: ( words)
Save to Folio
As you may know, I recently presented my Exchange-related talk during OffensiveCon 2024. This series of 4 blog posts is meant to supplement the talk and provide additional technical details.
In this final part, I ’am going to describe the PowerShell Remoting ConvertViaNoArgumentConstructor conversion mechanism, which I underestimated at the beginning of my research. It allowed me to find 3 more vulnerabilities, even after the Exchange PowerShell attack surface had been significantly hardened by switching to a strict allow list of types. The vulnerabilitie
Qualys
Microsoft and Adobe Patch Tuesday, September 2023 Security Update Review
blogs_qualys·2023-09-12
Microsoft and Adobe Patch Tuesday, September 2023 Security Update Review
## Table of Contents
Microsoft Patch Tuesday for September 2023
Adobe Patches for September 2023
Zero-day Vulnerability Patched in September Patch Tuesday Edition
Other Critical Severity Vulnerabilities Patched in September Patch Tuesday Edition
Other Microsoft Vulnerability Highlights
Microsoft Release Summary
Discover and Prioritize Vulnerabilities in Vulnerability Management, Detection & Response (VMDR)
Rapid Response with Patch Management (PM)
EVALUATE Vendor-Suggested Mitigation with Policy Compliance (PC)
EXECUTE Mitigation Using Qualys Custom Assessment and Remediation (CAR)
Qualys Monthly Webinar Series
Microsoft has released the Patch Tuesday edition for September. This month’s updates have addressed 66 security vulnerabilities (including Edge Chromium-based) in multip
Bleepingcomputer
Microsoft September 2023 Patch Tuesday fixes 2 zero-days, 59 flaws
blogs_bleepingcomputer·2023-09-12·CVSS 6.5
[MEDIUM] Microsoft September 2023 Patch Tuesday fixes 2 zero-days, 59 flaws
## Microsoft September 2023 Patch Tuesday fixes 2 zero-days, 59 flaws
## Lawrence Abrams
3 Security Feature Bypass Vulnerabilities
24 Remote Code Execution Vulnerabilities
9 Information Disclosure Vulnerabilities
3 Denial of Service Vulnerabilities
5 Spoofing Vulnerabilities
5 Edge - Chromium Vulnerabilities
The total count of 59 flaws does not include five Microsoft Edge (Chromium) vulnerabilities two non-Microsoft flaws in Electron and Autodesk.
To learn more about the non-security updates released today, you can review our dedicated articles on the new Windows 11 KB5030219 cumulative update and Windows 10 KB5030211 updates released.
## Two actively exploited zero-day vulnerabilities
This month's Patch Tuesday fixes two zero-day vulnerabilities, with both exploited in attacks
Talos
Microsoft Patch Tuesday for September 2023 — Unusually low 5 critical vulnerabilities included in Microsoft Patch Tuesday, along with two zero-days
blogs_talos·2023-09-12·CVSS 8.0
[HIGH] Microsoft Patch Tuesday for September 2023 — Unusually low 5 critical vulnerabilities included in Microsoft Patch Tuesday, along with two zero-days
Microsoft disclosed 65 vulnerabilities across its suite of products and software Tuesday, only five of which are considered critical, which is very low compared to Microsoft’s usual security updates.
However, there are two issues disclosed and patched this month that have already been exploited in the wild.
Fifty-six of the vulnerabilities included in this month’s Patch Tuesday are considered “important,” according to Microsoft, while two are of “moderate” severity. One remote code execution vulnerability in Microsoft Exchange Server, CVE-2023-36756, was meant to be included in August’s security update but was mistakenly excluded. Users should ensure the August 2023 security update for Exchange is already downloaded to remediate this issue.
One of the vulnerabilities adversaries are alr
Tenable
Microsoft’s September 2023 Patch Tuesday Addresses 61 CVEs (CVE-2023-36761)
blogs_tenable·2023-09-12·CVSS 6.5
[MEDIUM] Microsoft’s September 2023 Patch Tuesday Addresses 61 CVEs (CVE-2023-36761)
## Cloud Exposure
Tenable Cloud Security (CNAPP) Request a demo
Tenable Cloud Vulnerability Management Request a demo
Tenable CIEM Request a demo
Secure your cloud
## Vulnerability Exposure
Tenable Vulnerability Management Try for free
Tenable Security Center Request a demo
Tenable Web App Scanning Try for free
Tenable Patch Management Request a demo
Tenable Enclave Security Request a demo
Tenable Attack Surface Management Request a demo
Tenable Nessus Try for free
## AI Exposure
Tenable AI Exposure Request a demo
## OT/IoT Exposure
Tenable OT Security Request a demo
## Identity Exposure
Tenable Identity Exposure Request a demo
## Business needs
Active Directory
AI Security Posture Management (AI-SPM)
AWS security
Azure security
Cloud Security Posture Man
Talos
Microsoft Patch Tuesday for September 2023 — Unusually low 5 critical vulnerabilities included in Microsoft Patch Tuesday, along with two zero-days
blogs_talos·2023-09-12·CVSS 8.0
[HIGH] Microsoft Patch Tuesday for September 2023 — Unusually low 5 critical vulnerabilities included in Microsoft Patch Tuesday, along with two zero-days
## Microsoft Patch Tuesday for September 2023 — Unusually low 5 critical vulnerabilities included in Microsoft Patch Tuesday, along with two zero-days
Microsoft disclosed 65 vulnerabilities across its suite of products and software Tuesday, only five of which are considered critical, which is very low compared to Microsoft’s usual security updates.
However, there are two issues disclosed and patched this month that have already been exploited in the wild.
Fifty-six of the vulnerabilities included in this month’s Patch Tuesday are considered “important,” according to Microsoft, while two are of “moderate” severity. One remote code execution vulnerability in Microsoft Exchange Server, CVE-2023-36756 , was meant to be included in August’s security update but was mistakenly excluded. Users
Qualys
Microsoft and Adobe Patch Tuesday, September 2023 Security Update Review | Qualys
blogs_qualys·2023-09-12
Microsoft and Adobe Patch Tuesday, September 2023 Security Update Review | Qualys
#### Table of Contents
- Microsoft Patch Tuesday for September 2023
- Adobe Patches for September 2023
- Zero-day Vulnerability Patched in September Patch Tuesday Edition
- Other Critical Severity Vulnerabilities Patched in September Patch Tuesday Edition
- Other Microsoft Vulnerability Highlights
- Microsoft Release Summary
- Discover and Prioritize Vulnerabilities in Vulnerability Management, Detection & Response (VMDR)
- Rapid Response with Patch Management (PM)
- EVALUATE Vendor-Suggested Mitigation with Policy Compliance (PC)
- EXECUTE Mitigation Using Qualys Custom Assessment and Remediation (CAR)
- Qualys Monthly Webinar Series
Microsoft has released the Patch Tuesday edition for September. This month’s updates have addressed 66 security vulnerabilities (including Edge Chromium-ba
2023-09-12
Published