Static Key Flaw in Microsoft Exchange Server Leaves Organizations Vulnerable (CVE-2020-0688)

As part of February’s Patch Tuesday, Microsoft patched CVE-2020-0688, a static key vulnerability in Microsoft Exchange Control Panel for Microsoft Exchange Server. The vulnerability was initially labeled as a memory corruption flaw, but Microsoft quickly updated the title and description for the flaw.

The vulnerability is rated ‘important,’ though Microsoft does say they believe exploitation is more likely based on their exploitability index.

Researchers at the Zero Day Initiative (ZDI) published details about the vulnerability on February 25, including enough information to construct a proof-of-concept (PoC). However, some of the information required to construct the PoC requires that an attacker have valid credentials on their victim server, though this does not appear to be a hurdle for attackers.

Reports have emerged that the vulnerability is being probed by attackers in mass scanning activity.

For more information about the vulnerability including patch details, please visit our blog.