MS Exchange RCE Vulnerability Threat Intelligence Advisory

###### Advisory Type Vulnerability Intelligence
###### Vulnerability Type Remote Code Execution
###### CVE CVE-2020-16875
###### Platform Microsoft Exchange Server, On-premise/Cloud
###### CVSS 9.1

A Remote Code Execution vulnerability (RCE) in the Microsoft Exchange server impacts Software-as-a-Service (SaaS) providers as well as on-premise instances of Exchange servers. An Exchange server, like any other Microsoft product, supports Powershell and uses the Powershell Remoting interface to expose functionalities to users and administrators. The critical flaw is reportedly present in one of the Powershell commandlet (cmdlet is a lightweight command executed in the Powershell environment) which allows the command provided by the attacker to run on the target server with high privileges.

The vulnerable cmdlet is New-DlpPolicy and the class that handles this cmdlet can be found at Microsoft.Exchange.MessagingPolicies.CompliancePrograms.Tasks.NewDlpPolicy without C:\ProgramFiles\Microsoft\ExchangeServer\V15\Bin\Microsoft.Exchange.Management.dll library.

The New-DlpPolicy cmdlet lets users create a new DLP policy (data loss prevention) with template data supplied by the user without proper validation in place, allowing malicious users to craft template data with system commands leading to an RCE. This can be exploited via the Exchange Control Panel (ECP) and the PS-Remoting interface. An attack via the ECP can make use of HTTPS, making it easier to craft exploit modules in metasploit, already available in the wild.


  • Attackers can execute commands (with the highest privilege) on the target system.
  • Corporate email accounts will face the risk of compromise.
  • Compromised email accounts can be used in phishing campaigns.
  • RCE will give the attackers ability to leave backdoors on the servers.
  • Attackers can further the attack deeper into internal networks using the compromised server as a pivot.


  • Patch Bypass – Security researchers were able to bypass the patch meant for CVE-2020-16875. The first patch bypass is dubbed CVE-2020-171324. Later a bypass for 171324 was discovered, and now, a final patch is required to address the two other bypasses.

1 Like