CVE-2023-38185

FAQ

According to the CVSS metric, the attack vector is network (AV:N) and the user interaction is none (UI:N). What is the target used in the context of the remote code execution?

The attacker for this vulnerability could target the server accounts in an arbitrary or remote code execution. As an authenticated user, the attacker could attempt to trigger malicious code in the context of the server's account through a network call.

According to the CVSS metric, privileges required is low (PR:L). Does the attacker need to be in an authenticated role on the Exchange Server?

Yes, the attacker must be authenticated.

How could an attacker exploit this vulnerability?

In a network-based attack, an attacker could trigger malicious code in the context of the server's account through a network call.

Is there anything that I should be aware of if I'm running a non-English operating system and version of Exchange server?

Yes, an issue has been discovered with the non-English August updates of Exchange Server and you should postpone installing these updates. The script protecting customers from the vulnerability documented by CVE-2023-21709 can be run to protect against the vulnerability without installing the August updates. Microsoft recommends running the script.

August 15, 2023 Update: The known issue affecting the non-English August updates of Exchange Server has been resolved. Microsoft recommends installing the updated packages as soon as possible.

Please see the Exchange Blog for more information.