by Konstantinos Xanthopoulos | Senior System Engineer

CVE-2020-0688 | Microsoft Exchange Validation Key Remote Code Execution Vulnerability

Microsoft identified a remote code execution vulnerability in Microsoft Exchange Server when the server fails to properly create unique keys at install time.

Knowledge of the validation key allows an authenticated user with a mailbox to pass arbitrary objects to be deserialized by the web application, which runs as SYSTEM.

The vulnerability identity is CVE-2020-0688 and more details about it follow below:

The above vulnerability affects all supported Microsoft Exchange versions; from 2010 to 2019.

The following security updates address the vulnerability by correcting how Microsoft Exchange creates the keys during install.

Since there aren’t any workaround or mitigation factors available, we urge you to prioritize the update installation the soonest due to the criticality of the flaw.

Microsoft Exchange Server 2019 and 2016:

Microsoft Exchange Server 2013:

Microsoft Exchange Server 2010:

If you have any inquiries or you need a piece of advice, please do not hesitate to contact us!