Attackers hunting for vulnerable Exchange Servers

Microsoft rightly predicted that systems vulnerable to CVE-2020-0688, could be an attractive target for attackers and that this vulnerability could soon be included in upcoming attacks. Standing true to that, attackers have now started scanning the Internet for Microsoft Exchange Vulnerability 2020 Servers to a Remote Code Execution flaw(CVE-2020-0688). This vulnerability received a patch during the Patch Tuesday of February 2020.

Key to Remote Code Execution: CVE-2020-0688

According to Microsoft, CVE-2020-0688 is a vulnerability in Microsoft Exchange Server due to the failure of the server to properly create unique keys during installation. An authenticated attacker with the knowledge of the validation key and access to a mailbox can pass arbitrary objects to be deserialized by a web application running with SYSTEM privileges.

Microsoft rated this vulnerability important in severity with the notion that an attacker needs authentication for successful exploitation. But in the scenario of an organization, many users possess access to accounts with basic USER privileges. Given that, exploiting further would be no herculean task. Attacks are also feasible in cases where the attacker has already obtained the credentials to the target systems through other means.

Deep Dive into Microsoft Exchange Server’s Code Execution Bug

CVE-2020-0688 was reported to Microsoft by an anonymous researcher working with Trend Micro’s Zero Day Initiative (ZDI). ZDI has published a detailed analysis of the vulnerability along with a demonstration video exploiting CVE-2020-0688.

The flaw resides in the Exchange Control Panel (ECP) component, a web-based management interface in Exchange Server. The primary reason for the existence of the bug is the use of static keys in the server. While randomly generated keys for every installation are expected for security, all installations of Microsoft Exchange Server were found to have the same validationKey and decryptionKey values in web.config. These keys are meant to secure ViewState, which is the server-side data that ASP.NET web applications store in the serialized format on the client.

An authenticated attacker can launch insecure deserialization attacks by maliciously crafting ViewState data. An attacker can also plan to execute .NET code on the server with a ViewState payload generated using in the context of the Exchange Control Panel web application, which runs as SYSTEM.

In order to successfully launch an attack, an attacker should acquire the ViewStateUserKey and the __VIEWSTATEGENERATOR values from an authenticated session. Standard developer tools within the browser can be used to obtain these parameters. ViewStateUserKey can be obtained from ASP.NET _SessionID cookie.

Steps for exploitation

1) A simple user, logs in to his account on /ecp/default.aspx page.
2) The validation key is already known due to the presence of static keys:

validationkey = CB2721ABDAF8E9DC516D621D8B8BF13A2C9E8689A25303BF

validationalg = SHA1

3) A request is sent to /ecp/default.aspx.
The page source of the response contains __VIEWSTATEGENERATOR.
The value of ASP.NET_SessionId cookie in Request header is the ViewStateUserKey.
4) The values of validationkey, validationalg, generator and viewstateuserkey are now known. The next step will be to create the ViewState payload.
5) The ViewState payload is URL encoded and a URL is crafted with it.

6) The crafted URL is accessed using the browser. The browser response is 500 Unexpected Error, but the crafted data is executed in the background with SYSTEM privileges.

Affected Products

  • Microsoft Exchange Server 2010 Service Pack 3 Update Rollup 30
  • Microsoft Exchange Server 2013 Cumulative Update 23
  • Microsoft Exchange Server 2016 Cumulative Update 14 and 15
  • Microsoft Exchange Server 2019 Cumulative Update 3 and 4


An authenticated attacker can execute malicious code on the server. Successful attacks can also involve disclosure and tampering of confidential emails in an organization.


Microsoft has released an update for mitigating this vulnerability as a part of the Patch Tuesday Updates of February 2020. We strongly recommend applying the security updates, if not already applied, from the vendor.

SanerNow detects this vulnerability and automatically fixes it by applying security updates. Download SanerNow and keep your systems updated and secure.


Subscribe For More Posts Like This

Get the latest research, best practices, industry trends and cybersecurity blogs from SecPod security experts

Invalid email address
We promise not to spam you. You can unsubscribe at any time.
0 0 votes
Article Rating
Notify of
Inline Feedbacks
View all comments