ExtraHop Logo
Try ExtraHop
Menu iconX icon
  • Platformchevron right
  • Solutionschevron right
  • Modern NDRchevron right
  • Resourceschevron right
  • Companychevron right
User iconSign In
Contact Us

DETECTION OVERVIEW

Microsoft Exchange Server Deserialization Exploit Attempt - [Multiple CVEs]

Risk Factors

Unpatched Microsoft Exchange management interfaces are not traditionally exposed to the internet and can only be exploited by authenticated attackers. An authenticated attacker can exploit the deserialization vulnerabilities CVE-2023-28310, CVE-2023-21706, and CVE-2023-2159, which can lead to RCE.

Kill Chain

Exploitation

Risk Score

88

Detection diagram
Next in Exploitation: Microsoft SharePoint Exploit Attempt - CVE-2019-0604

Attack Background

Microsoft Exchange Server has vulnerabilities (CVE-2023-28310, CVE-2023-21706, and CVE-2023-21529) that can lead to RCE. An authenticated attacker that has established a PowerShell connection with an Exchange Server sends a SOAP message that contains PowerShell objects with a malicious XamlReader payload. The PowerShell objects bypass any restrictions in Microsoft Exchange Management Shell and run the attacker’s embedded code.

Mitigation Options

Install relevant patches for affected versions

If unable to patch, make the recommended changes provided in Microsoft Exchange Server Vulnerabilities Mitigations (see the link below)

MITRE ATT&CK ID

What else can RevealX do for you?

View our Periodic Table of use casesArrow pointing right