HighCISA KEVExploited in the wildPublic exploit

Microsoft Exchange Remote Code Execution Vulnerability

IdentifiersCVE-2020-17144CWE-287

CVE-2020-17144 is a remote code execution vulnerability affecting Microsoft Exchange Server. The provided content identifies it as a Microsoft Exchange RCE flaw and repeatedly notes its use against vulnerable, public-facing Exchange deployments by APT28/Forest Blizzard to gain execution. The content does not provide the vulnerable function, root cause, or a vendor technical breakdown, so more specific implementation details are currently not available.

For your environment

Are you exposed to this one?

Mallory correlates every CVE against your assets, your vendors, and active adversary campaigns. Know which vulnerabilities matter for you, not just which ones are loud.

Start free trial

ANALYST BRIEF

Impact, mitigation & remediation

What it means. What to do now. Patch path, mitigations, and the assume-compromise checklist.

Impact

What an attacker gets, and what they’ve been doing with it.

Successful exploitation can allow an attacker to gain remote code execution on a vulnerable Microsoft Exchange server. In the observed intrusions described in the content, actors used CVE-2020-17144 together with valid or harvested credentials and other techniques to escalate privileges, establish persistence, move laterally, access Exchange and Microsoft 365 resources, and exfiltrate emails and files.

Mitigation

If you can’t patch tonight, do this now.

Where immediate patching is not possible, reduce exposure of internet-facing Exchange services, restrict administrative access, enforce multifactor authentication, monitor for exploitation and anomalous Exchange activity, and review for use of compromised credentials. The content also recommends strong passwords, account lockout controls, zero-trust principles, centralized logging, and assuming broader identity compromise if intrusion evidence is found.

Remediation

Patch, then assume compromise.

Apply the relevant Microsoft security updates for Microsoft Exchange Server that address CVE-2020-17144. The supporting content also emphasizes general hardening measures for exposed Exchange environments, including timely patch management, strong passwords, multifactor authentication, centralized logging, endpoint detection and response, and least-privilege administration.

PUBLIC EXPLOITS

Exploits

2 valid exploits after Mallory filtered fakes, detection scripts, and README-only repos.

VALID 2 / 2 TOTALView more in app

CVE-2020-17144-EXPMaturityPoCVerified exploit

This repository is a C# exploit for CVE-2020-17144, targeting Microsoft Exchange Server 2010. The exploit leverages a deserialization vulnerability in Exchange Web Services (EWS) to write a webshell to the server's autodiscover directory, specifically at 'C:\Program Files\Microsoft\Exchange Server\V14\ClientAccess\autodiscover\Services.aspx'. The main entry point is 'Program.cs', which takes three arguments: the target Exchange server's domain, a username, and a password. The exploit uses the ysoserial.net gadget chain to generate a malicious serialized payload, which is then uploaded to the server via the EWS API. The default payload writes a simple webshell, but the code can be modified to execute arbitrary commands. The repository includes all necessary code to generate the payload and interact with the Exchange server, and references the Exchange Web Services Managed API. The README provides usage instructions and notes that the exploit requires valid user credentials and an Exchange 2010 environment.

AirboiDisclosed Dec 9, 2020csharpxmlnetwork

CVE-2020-17144MaturityPoCVerified exploit

This repository contains a weaponized exploit for CVE-2020-17144, a deserialization vulnerability in Microsoft Exchange 2010's MRM.AutoTag.Model. The main exploit file (CVE-2020-17144.cs) authenticates to the Exchange Web Services endpoint using provided credentials and uploads a malicious configuration containing a serialized payload (compiled from e.cs as e.dll). The payload, when deserialized by Exchange, starts an HTTP listener on port 80 at /ews/soap/. This backdoor allows an attacker to execute arbitrary system commands by sending HTTP requests with a specific query parameter (e.g., http://[target]/ews/soap/?pass=whoami). The repository includes a batch file (make.bat) for building the exploit and payload DLL. The exploit requires valid Exchange credentials and targets Exchange 2010 servers vulnerable to CVE-2020-17144. The structure is straightforward: CVE-2020-17144.cs (exploit logic), e.cs (payload/backdoor), make.bat (build script), and README.md (usage instructions).

zcgonvhDisclosed Dec 9, 2020csharpbatchnetwork

EXPOSURE SURFACE

Affected products & vendors

Products and vendors Mallory has correlated with this vulnerability. Open in Mallory to drill down to specific CPE configurations and version ranges.

VendorProductType

Microsoft CorporationExchange Serverapplication

Vendor-confirmed product mapping. Mallory continuously reconciles this list against your asset inventory.

ACTIVITY FEED

Recent activity

7 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

7 SOURCESView more in app

microsoft security blogNews

Mar 24, 2023

Guidance for investigating attacks using CVE-2023-23397 | Microsoft Security Blog

A vulnerability listed as one of several publicly available exploits leveraged by Forest Blizzard.

breaking defenseNews

Jul 1, 2021

US, UK Warn Of New Worldwide Russian Cyberespionage - Breaking Defense

A Microsoft Exchange Server vulnerability used by the threat actor to help establish persistence and escalate privileges during the intrusion.

mitre attack websiteNews

Oct 1, 2016

APT28, IRON TWILIGHT, SNAKEMACKEREL, Swallowtail, Group 74, Sednit, Sofacy, Pawn Storm, Fancy Bear, STRONTIUM, Tsar Team, Threat Group-4127, TG-4127, Forest Blizzard, FROZENLAKE, GruesomeLarch, Group G0007 | MITRE ATT&CK®

A Microsoft Exchange vulnerability used by APT28 via public exploit code to gain execution on vulnerable Exchange servers.

mitre attack websiteNews

Mar 20, 2015

Exploit Public-Facing Application, Technique T1190 - Enterprise | MITRE ATT&CK®

A Microsoft Exchange vulnerability used by APT28 to gain execution.

+2 more in the timeline

What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets are affected, which adversaries are exploiting it right now, which detections to deploy, and what to do tonight.

Start free trial

Exposure mapping

Query your assets running an affected version, and investigate the blast radius.

Threat actor evidence7

Every observed campaign linking this CVE to a named adversary.

Associated malware1

Malware families riding this exploit, with evidence and IOCs.

Detection signatures1

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

Vendor-by-vendor mapping

Cross-references every affected SKU, including bundled OEM variants.

Social activity

Community discussion across Reddit, Mastodon, and other social sources.

EXTERNAL REFERENCES

MITRE CVE

cve.org · CVE-2020-17144

NVD

nvd.nist.gov/vuln/detail/CVE-2020-17144

MITRE CWE · CWE-287

cwe.mitre.org

Patch

msrc.microsoft.com/update-guide/vulnerability/CVE-2020-17144

Patch

portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-17144

US Government Resource

cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2020-17144