1 October 2020

More than 240,000 Microsoft Exchange servers are still vulnerable to CVE-2020-0688


More than 240,000 Microsoft Exchange servers are still vulnerable to CVE-2020-0688

Eight months after Microsoft addressed the CVE-2020-0688 vulnerability affecting Microsoft Exchange servers 61% of Exchange servers (Exchange 2010, 2013, 2016, and 2019) is still vulnerable to exploitation, a new research from the cybersecurity firm Rapid7 revealed.

CVE-2020-0688 resides in the Exchange Control Panel (ECP) component and stems from the fact that Exchange Server fails to properly create unique cryptographic keys at the time of installation. This flaw allows a remote, authenticated attacker to execute arbitrary code with SYSTEM privileges on a server and fully compromise it.

Microsoft fixed the flaw as part of its February 2020 Patch Tuesday release, but the Rapid7 ‘s investigation showed that over 247,000 Microsoft Exchange servers (61% percent out of a total of 405,873 Exchange installs) are still remain unpatched.

The researchers said that 87% of almost 138,000 Exchange 2016 servers and 77% of nearly 25,000 Exchange 2019 servers are still vulnerable to CVE-2020-0688 attacks, and roughly 54,000 Exchange 2010 servers have not been updated in six years. The research also revealed 16,577 servers running Exchange 2007 (an unsupported Exchange version that did not receive security updates to protect against CVE-2020-0688 attacks) are reachable over the Internet.

In March, the cybersecurity firm Volexity reported about multiple attempts by nation-state hackers to exploit this vulnerability. Administrators could detect compromised Exchange accounts by checking Windows Event and IIS logs for parts of encoded payloads including the "Invalid viewstate" text or the __VIEWSTATE and __VIEWSTATEGENERATOR strings for requests to a path under /ecp (usually /ecp/default.aspx).


Back to the list

Latest Posts

Vulnerability summary for the week: October 23, 2020

Vulnerability summary for the week: October 23, 2020

A weekly vulnerability digest.
23 October 2020
Coronavirus vaccine-maker Dr. Reddis shuts down operations following a cyber-attack

Coronavirus vaccine-maker Dr. Reddis shuts down operations following a cyber-attack

The company suffered a “mega data breach,” which led to the closure of key units across the UK, the US, Brazil, India, and Russia.
23 October 2020
Energetic Bear APT targets US governments, avaition networks

Energetic Bear APT targets US governments, avaition networks

The hackers are using Windows Netlogon vulnerability to obtain access to Windows Active Directory (AD) servers and elevate privileges.
23 October 2020