DIVD-2023-00010 - Remote Code Execution in Microsoft Exchange Server

Our reference	DIVD-2023-00010
Case lead	Célistine Oosting
Researcher(s)	Max van der Horst Rutger Hermens Tom Wolters Célistine Oosting
CVE(s)	CVE-2023-21529 CVE-2023-21706 CVE-2023-21707 CVE-2023-21710
Products	Microsoft Exchange Server 2013 Microsoft Exchange Server 2016 Microsoft Exchange Server 2019
Versions	Microsoft Exchange Server 2013 < Cumulative Update 23 (Buildnr. 15.00.1497.047) Microsoft Exchange Server 2016 < Cumulative Update 23 (Buildnr. 15.01.2507.021) Microsoft Exchange Server 2019 < Cumulative Update 12 (Buildnr. 15.02.1118.025)
Recommendation	Be sure to install the latest Cumulative security Update from Microsoft for Exchange
Patch status	Fully patched
Status	Closed
Last modified	22 Jul 2024 10:53 CEST

Important Information

During the parsing of data related to the first mailrun of this case, there was an error that caused some emails to have been erroneously sent out for systems that are not vulnerable to these vulnerabilities. If you have received an email stating that your systems are vulnerable to this vulnerability, yet your systems are updated to at least the February 2023 Cumulative Update (Buildnrs. listed above), you can safely disregard this email.

Summary

On the 14th of February Microsoft released an update that patched 4 CVE’s in Microsoft Exchange Server that can lead to remote code execution on vulnerable systems. After we became aware of these vulnerabilities, we created a case for it and began scanning for these vulnerabilities.

What you can do

Make sure you’re on the latest Cumulative Update for your version of Exchange Server. The following are as of writing the latest versions.

Microsoft Exchange Server 2013: Cumulative Update 23 (Buildnr. 15.00.1497.047)
Microsoft Exchange Server 2016: Cumulative Update 23 (Buildnr. 15.01.2507.021)
Microsoft Exchange Server 2019: Cumulative Update 12 (Buildnr. 15.02.1118.025)

What we are doing

We are scanning for these vulnerabilities and will send out notifications to owners of vulnerable systems.

Timeline

Date	Description
14 Feb 2023	Patch Released by Microsoft
14 Feb 2023	Case Created Opened by DIVD
07 Mar 2023	DIVD Started the Initial Scan for this Vulnerability
01 May 2023	DIVD Rescanned for the Vulnerability
18 May 2023	DIVD Did the First Mailrun
22 Jul 2024	Case closed, casefile is inactive too long

gantt title DIVD-2023-00010 - Remote Code Execution in Microsoft Exchange Server dateFormat YYYY-MM-DD axisFormat %e %b %Y section Case DIVD-2023-00010 - Remote Code Execution in Microsoft Exchange Server (524 days) :2023-02-14, 2024-07-22 section Events Patch Released by Microsoft : milestone, 2023-02-14, 0d Case Created Opened by DIVD : milestone, 2023-02-14, 0d DIVD Started the Initial Scan for this Vulnerability : milestone, 2023-03-07, 0d DIVD Rescanned for the Vulnerability : milestone, 2023-05-01, 0d DIVD Did the First Mailrun : milestone, 2023-05-18, 0d Case closed, casefile is inactive too long : milestone, 2024-07-22, 0d

DIVD CSIRT