CVE-2023-36757
published 2023-09-12CVE-2023-36757: Microsoft Exchange Server Spoofing Vulnerability Microsoft Exchange Server Spoofing Vulnerability
high8CVSS 3.1
AVAACLPRLUINSUCHIHAH
EPSS
68.60%
99.3th percentile
Microsoft Exchange Server Spoofing Vulnerability
Microsoft Exchange Server Spoofing Vulnerability
Affected
6 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| microsoft | microsoft_exchange_server_2016_cumulative_update_23 | >= 15.01.0 < 15.01.2507.032 | 15.01.2507.032 |
| microsoft | microsoft_exchange_server_2019_cumulative_update_12 | >= 15.02.0 < 15.02.1118.037 | 15.02.1118.037 |
| microsoft | microsoft_exchange_server_2019_cumulative_update_13 | >= 15.02.0 < 15.02.1258.025 | 15.02.1258.025 |
| msrc | microsoft_exchange_server_2016_cumulative_update_23 | — | — |
| msrc | microsoft_exchange_server_2019_cumulative_update_12 | — | — |
| msrc | microsoft_exchange_server_2019_cumulative_update_13 | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Attacker must be authenticated with LAN-access and have credentials for a valid Exchange user (PR:L, AV:A) — monitor for authenticated Exchange users performing unusual SSRF or outbound NTLM-triggering requests from Exchange Server ↗
- →Successful exploitation results in capture of a victim user's Net-NTLMv2 hash, which is then used in an NTLM Relay attack against another service — monitor for outbound NTLM authentication attempts originating from Exchange Server to internal or external hosts ↗
- ·Patch requirement: August 2023 Exchange security updates must be installed to remediate this vulnerability ↗
- ·Exploitation requires LAN adjacency (AV:A per CVSS) — external-only network segmentation of Exchange does not fully mitigate risk if internal attackers are present ↗
- ·As of advisory publication, vulnerability was not yet publicly disclosed or exploited in the wild (Exploitation Less Likely) ↗
CVSS provenance
nvdv3.18.0HIGHCVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
cvelistv58.0HIGH
vendor_msrc8.0HIGH
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Microsoft
Microsoft Exchange Server Spoofing Vulnerability
vendor_msrc·2023-09-12·CVSS 8.0
CVE-2023-36757 [HIGH] CWE-502 Microsoft Exchange Server Spoofing Vulnerability
Microsoft Exchange Server Spoofing Vulnerability
FAQ: According to the CVSS metric, privileges required is low (PR:L). Does the attacker need to be in an authenticated role on the Exchange Server?
Yes, the attacker must be authenticated with LAN-access and have credentials for a valid Exchange user.
FAQ: According to the CVSS metrics, successful exploitation of this vulnerability could lead to major loss of confidentiality (C:H), integrity (I:H) and availability (A:H). What does that mean for this vulnerability?
An attacker who successfully exploited this vulnerability could access a user's Net-NTLMv2 hash which could be used as a basis of an NTLM Relay attack against another service to authenticate as the user.
FAQ: What updates do I need to install to be protected from this vulnerabil
CVEList
Microsoft Exchange Server Spoofing Vulnerability
cvelistv5·2023-09-12·CVSS 8.0
CVE-2023-36757 [HIGH] CWE-502 Microsoft Exchange Server Spoofing Vulnerability
Microsoft Exchange Server Spoofing Vulnerability
Microsoft Exchange Server Spoofing Vulnerability
No detection rules found.
No public exploits indexed.
2023-09-12
Published