CVE-2023-35388

FAQ

Is there anything that I should be aware of if I'm running a non-English operating system and version of Exchange server?

Yes, an issue has been discovered with the non-English August updates of Exchange Server and you should postpone installing these updates. The script protecting customers from the vulnerability documented by CVE-2023-21709 can be run to protect against the vulnerability without installing the August updates. Microsoft recommends running the script.

August 15, 2023 Update: The known issue affecting the non-English August updates of Exchange Server has been resolved. Microsoft recommends installing the updated packages as soon as possible.

Please see the Exchange Blog for more information.

How could an attacker exploit this vulnerability?

An authenticated attacker who is on the same intranet as the Exchange server can achieve remote code execution via a PowerShell remoting session.

According to the CVSS metric, privileges required is low (PR:L). Does the attacker need to be in an authenticated role on the Exchange Server?

Yes, the attacker must be authenticated with LAN-access and have credentials for a valid Exchange user.

According to the CVSS metric, the attack vector is adjacent (AV:A). What does that mean for this vulnerability?

An authenticated attacker could exploit this vulnerability with LAN access.

What privileges could be gained by an attacker who successfully exploited the vulnerability?

An authenticated attacker could gain remote code execution rights on the server mailbox backend as NT AUTHORITY\SYSTEM.