Vulnerability in Exchange Server actively exploited

9:30am, 10 March 2020

TLP Rating: Clear

Vulnerability in Exchange Server actively exploited

Attackers are exploiting the vulnerability (CVE-2020-0688) to execute commands on Exchange Control Panel (ECP). This allows highly privileged access to an organisation’s email servers by using the credentials of any domain user with a mailbox on the Exchange server.

What's happening

Systems affected

All versions of Microsoft Exchange Server are affected.

This attack requires network access to the ECP valid set of Exchange credentials. Note that all that is required is a Domain User account, not an Exchange Admin.

What this means

Attackers are able to send specially crafted requests to the ECP, which will run commands in the Exchange Server context (SYSTEM).

This means an attacker can gain full control of the server, and the information it contains.

What to look for

How to tell if you're at risk

If you run an on-premise installation of Microsoft Exchange Server, and have not applied the February 2020 security updates, you’re at risk.

How to tell if you're affected

IIS access log entries containing __VIEWSTATE GET parameters
Presence of unusual child processes for the IIS worker process (w3wp.exe)
Presence of ECP ServerException logs containing “The serialised data is invalid”

What to do

Prevention

CERT NZ recommends you apply the February 2020 security updates immediately.

These controls can be implemented to make exploitation more difficult:

Restrict network access to the ECP.
Enable MFA on the Exchange Server.

More information

For more information, see:

If you experience any of these indicators of compromise, or aren't sure, submit a report on our website or contact us on 0800 CERTNZ.

Report an incident to CERT NZ

For media enquiries, email our media desk at certmedia@cert.govt.nz or call on 021 854 384