HighCISA KEVExploited in the wildPublic exploit

Post-authentication deserialization RCE in Microsoft Exchange Server 2010

IdentifiersCVE-2020-17144CWE-502· Deserialization of Untrusted Data

CVE-2020-17144 is a Microsoft Exchange Server remote code execution vulnerability described in the provided content as a post-authentication deserialization flaw affecting Exchange 2010. The supporting context explicitly compares it to CVE-2018-8302 and CVE-2020-0688 and states that it requires valid login credentials to exploit. The available content does not provide a reliable vulnerable function, code path, or protocol-level trigger for CVE-2020-17144 specifically, but it consistently characterizes the issue as an authenticated unsafe deserialization bug in Microsoft Exchange that can be used to obtain code execution on vulnerable Exchange 2010 servers.

For your environment

Are you exposed to this one?

Mallory correlates every CVE against your assets, your vendors, and active adversary campaigns. Know which vulnerabilities matter for you, not just which ones are loud.

Start free trial

ANALYST BRIEF

Impact, mitigation & remediation

What it means. What to do now. Patch path, mitigations, and the assume-compromise checklist.

Impact

What an attacker gets, and what they’ve been doing with it.

Successful exploitation can lead to remote code execution on the vulnerable Microsoft Exchange server. The provided context also indicates attackers have used CVE-2020-17144 together with valid credentials to escalate privileges, establish persistent access, and gain administrative control of exposed Exchange systems.

Mitigation

If you can’t patch tonight, do this now.

If immediate patching is not possible, reduce exposure by restricting or removing public access to Exchange services, enforcing MFA for all Exchange-accessible accounts, limiting administrative and service account privileges, monitoring for suspicious authenticated activity against Exchange, and rotating credentials that may have been exposed. Because exploitation is described as post-authentication, hardening identity controls and preventing credential reuse materially reduces risk.

Remediation

Patch, then assume compromise.

Apply Microsoft's security updates for CVE-2020-17144 on affected Microsoft Exchange Server 2010 deployments. Because the content only establishes that Exchange 2010 is affected and does not enumerate exact update rollups or KB numbers, specific patch identifiers are currently not available from the provided material. Organizations should also verify that no unsupported Exchange 2010 instances remain internet-exposed.

PUBLIC EXPLOITS

Exploits

2 valid exploits after Mallory filtered fakes, detection scripts, and README-only repos.

VALID 2 / 2 TOTALView more in app

CVE-2020-17144-EXPMaturityPoCVerified exploit

This repository is a C# exploit for CVE-2020-17144, targeting Microsoft Exchange Server 2010. The exploit leverages a deserialization vulnerability in Exchange Web Services (EWS) to write a webshell to the server's autodiscover directory, specifically at 'C:\Program Files\Microsoft\Exchange Server\V14\ClientAccess\autodiscover\Services.aspx'. The main entry point is 'Program.cs', which takes three arguments: the target Exchange server's domain, a username, and a password. The exploit uses the ysoserial.net gadget chain to generate a malicious serialized payload, which is then uploaded to the server via the EWS API. The default payload writes a simple webshell, but the code can be modified to execute arbitrary commands. The repository includes all necessary code to generate the payload and interact with the Exchange server, and references the Exchange Web Services Managed API. The README provides usage instructions and notes that the exploit requires valid user credentials and an Exchange 2010 environment.

AirboiDisclosed Dec 9, 2020csharpxmlnetwork

CVE-2020-17144MaturityPoCVerified exploit

This repository contains a weaponized exploit for CVE-2020-17144, a deserialization vulnerability in Microsoft Exchange 2010's MRM.AutoTag.Model. The main exploit file (CVE-2020-17144.cs) authenticates to the Exchange Web Services endpoint using provided credentials and uploads a malicious configuration containing a serialized payload (compiled from e.cs as e.dll). The payload, when deserialized by Exchange, starts an HTTP listener on port 80 at /ews/soap/. This backdoor allows an attacker to execute arbitrary system commands by sending HTTP requests with a specific query parameter (e.g., http://[target]/ews/soap/?pass=whoami). The repository includes a batch file (make.bat) for building the exploit and payload DLL. The exploit requires valid Exchange credentials and targets Exchange 2010 servers vulnerable to CVE-2020-17144. The structure is straightforward: CVE-2020-17144.cs (exploit logic), e.cs (payload/backdoor), make.bat (build script), and README.md (usage instructions).

zcgonvhDisclosed Dec 9, 2020csharpbatchnetwork

EXPOSURE SURFACE

Affected products & vendors

Products and vendors Mallory has correlated with this vulnerability. Open in Mallory to drill down to specific CPE configurations and version ranges.

VendorProductType

Microsoft CorporationExchange Serverapplication

Vendor-confirmed product mapping. Mallory continuously reconciles this list against your asset inventory.

ACTIVITY FEED

Recent activity

8 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

8 SOURCESView more in app

microsoft security blogNews

Mar 24, 2023

Guidance for investigating attacks using CVE-2023-23397 | Microsoft Security Blog

A vulnerability listed as one of several publicly available exploits leveraged by Forest Blizzard.

medium peterjsonNews

Nov 19, 2021

Some notes about Microsoft Exchange Deserialization RCE (CVE-2021-42321) | by Peterjson | Medium

A referenced authenticated deserialization vulnerability affecting Exchange 2010 servers, mentioned only as background comparison for gadget-chain and exploitation discussion.

breaking defenseNews

Jul 1, 2021

US, UK Warn Of New Worldwide Russian Cyberespionage - Breaking Defense

A Microsoft Exchange Server vulnerability used by the threat actor to help establish persistence and escalate privileges during the intrusion.

mitre attack websiteNews

Oct 1, 2016

APT28, IRON TWILIGHT, SNAKEMACKEREL, Swallowtail, Group 74, Sednit, Sofacy, Pawn Storm, Fancy Bear, STRONTIUM, Tsar Team, Threat Group-4127, TG-4127, Forest Blizzard, FROZENLAKE, GruesomeLarch, Group G0007 | MITRE ATT&CK®

A Microsoft Exchange vulnerability used by APT28 via public exploit code to gain execution on vulnerable Exchange servers.

+3 more in the timeline

What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets are affected, which adversaries are exploiting it right now, which detections to deploy, and what to do tonight.

Start free trial

Exposure mapping

Query your assets running an affected version, and investigate the blast radius.

Threat actor evidence7

Every observed campaign linking this CVE to a named adversary.

Associated malware1

Malware families riding this exploit, with evidence and IOCs.

Detection signatures1

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

Vendor-by-vendor mapping

Cross-references every affected SKU, including bundled OEM variants.

Social activity

Community discussion across Reddit, Mastodon, and other social sources.

EXTERNAL REFERENCES

MITRE CVE

cve.org · CVE-2020-17144

NVD

nvd.nist.gov/vuln/detail/CVE-2020-17144

MITRE CWE · CWE-502

Deserialization of Untrusted Data

Patch

msrc.microsoft.com/update-guide/vulnerability/CVE-2020-17144

Patch

portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-17144

US Government Resource

cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2020-17144