Critical Microsoft Exchange Vulnerability Under Active Exploitation

Microsoft has issued an urgent security advisory for critical vulnerabilities in Microsoft Exchange Server that are being actively exploited in the wild. Organizations running affected versions must take immediate action to secure their systems.

Affected Products

The following versions of Microsoft Exchange Server are affected:

• Microsoft Exchange Server 2019 (Cumulative Update 8 or earlier)
• Microsoft Exchange Server 2016 (Cumulative Update 19 or earlier)
• Microsoft Exchange Server 2013 (Cumulative Update 23 or earlier)
• Exchange Online

Vulnerabilities

Multiple critical vulnerabilities have been identified:

1. CVE-2023-23397 - CVSS 9.8 (Critical)

   • Server-Side Request Forgery (SSRF) vulnerability
   • Allows unauthenticated attackers to send specially crafted requests to Exchange servers
   • Could lead to arbitrary code execution with SYSTEM privileges

2. CVE-2023-23398 - CVSS 9.8 (Critical)

   • Remote Code Execution vulnerability
   • Allows an attacker to execute arbitrary code on the Exchange server
   • Exploitation does not require authentication

3. CVE-2023-23412 - CVSS 8.8 (High)

   • Information disclosure vulnerability
   • Could allow an attacker to access sensitive information

Timeline

• Discovery: Vulnerabilities discovered by Microsoft security researchers in March 2023
• Public Disclosure: March 14, 2023
• Exploitation Detected: Active exploitation observed in the wild starting March 12, 2023
• Fix Release: March 14, 2023 with cumulative updates
• Recommended Action: Apply within 72 hours of release

Mitigation Steps

Organizations must take immediate action:

1. Apply Updates Immediately: Download and install the latest cumulative updates for your Exchange Server version:

   • Exchange Server 2019 CU9: Download link
   • Exchange Server 2016 CU20: Download link
   • Exchange Server 2013 CU23: Download link

2. Exchange Online Customers: Microsoft has applied mitigations automatically. No action required.

3. Workaround: If unable to apply updates immediately:

   • Configure Exchange Server to block external access to the Exchange Control Panel (ECP)
   • Implement IP restrictions on Exchange services
   • Disable the Exchange Control Panel virtual directory

4. Monitoring: Implement enhanced monitoring for suspicious activity, particularly:

   • Unusual authentication attempts
   • Unexpected PowerShell execution
   • Modifications to Exchange configuration

5. Incident Response: Prepare to investigate potential compromise if exploitation is detected.

Impact Assessment

Exploitation of these vulnerabilities could allow attackers to:

• Take complete control of Exchange servers
• Access sensitive email communications
• Steal credentials and other sensitive data
• Move laterally to other network resources
• Deploy ransomware or other malware

Additional Resources

For more information, visit:

• Microsoft Security Advisory
• Microsoft Security Response Center
• Exchange Server Security Guidance

Organizations should treat this security update as a priority. The combination of critical severity, active exploitation, and the potential for complete system compromise makes this a top-tier security concern.