Microsoft Exchange Vulnerabilities: Zero-Days Pave Way for Remote Code Execution

Security hero image

Key Takeaways:

  • Trend Micro’s Zero Day Initiative (ZDI) disclosed four zero-day vulnerabilities in Microsoft Exchange, with CVSS scores ranging from 7.1 to 7.5.
  • Microsoft has already released updates to address one of the vulnerabilities and is currently evaluating the remaining ones for patching.
  • Organizations are advised to restrict engagement with Exchange apps and enforce multi-factor authentication for added security.

Trend Micro’s Zero Day Initiative (ZDI) has disclosed four zero-day vulnerabilities in Microsoft Exchange. The security flaws could enable threat actors to run arbitrary code and disclose sensitive information on victims’ machines.

According to ZDI, the critical vulnerabilities were reported to Microsoft in September 2023, with CVSS scores ranging from 7.1 to 7.5. Surprisingly, Microsoft’s security engineers chose to postpone addressing these issues and stated that they did not deem them critical enough to require immediate action.

The first one (ZDI-23-1578) is a remote code execution (RCE) vulnerability in the ‘ChainedSerializationBinder’ class that causes user data validation issues. It allows hackers to deserialize untrusted data and execute arbitrary code with high-level system privileges on Windows systems. Moreover, the second (ZDI-23-1579) flaw enables threat actors to access sensitive information from Exchange servers.

The third (ZDI-23-1580) vulnerability originates from improper URI validation in the ‘DownloadDataFromOfficeMarketPlace’ method. It could potentially lead to unauthorized information disclosure on affected installations of Microsoft Exchange. Additionally, ZDI-23-1581 resides in the CreateAttachmentFromUri method, further exposing sensitive data to security risks.

Hackers require authentication to exploit Microsoft Exchange flaws

Microsoft has already addressed the ZDI-23-1578 vulnerability through the August 2023 Patch Tuesday updates. The company says that the hackers would require prior access to email credentials to exploit the remaining security flaws. It’s one of the reasons that these vulnerabilities have not been exploited in the wild.

“We appreciate the work of this finder submitting these issues under coordinated vulnerability disclosure, and we’re committed to taking the necessary steps to help protect customers. We’ve reviewed these reports and have found that they have either already been addressed, or do not meet the bar for immediate servicing under our severity classification guidelines and we will evaluate addressing them in future product versions and updates as appropriate,” a Microsoft said in a statement to Bleeping Computer.

Zero Day Initiative (ZDI) advises that organizations should restrict engagement with Exchange apps. Nevertheless, keep in mind that it could potentially disrupt the workflow for many enterprise customers. It’s highly recommended to enforce multi-factor authentication (MFA) to prevent threat actors from gaining unauthorized access to Exchange accounts.