Eighty-five per cent of Microsoft Exchange Servers vulnerable to remote-code execution security flaw patched last month

Organisations warned to patch protect against CVE-2020-0688 as state-backed APTs start targeting vulnerable Exchange Servers

State-backed APTs are targeting Microsoft Exchange Servers unpatched against CVE-2020-0688.

The patch was released in Microsoft's February Patch Tuesday, making it now more than a month old. The vulnerability is a remote-code execution flaw arising due to a static cryptographic key in Microsoft Exchange Server's on-by-default Exchange Control Panel (ECP).

Trend Micro's Zero-Day Initiative describes the vulnerability as follows: "This vulnerability allows remote attackers to execute arbitrary code on affected installations of Microsoft Exchange Server. Authentication is required to exploit this vulnerability.

"The specific flaw exists within the Exchange Control Panel web application. The product fails to generate a unique cryptographic key at installation, which can result in deserialization of untrusted data. An attacker can leverage this vulnerability to execute code in the context of SYSTEM."

However, warn security specialists at Kenna Security, exploiting the flaw is relatively straightforward, with an exploit published in Metasploit at the beginning of March.

"The vulnerability is actively being exploited in the wild... If your organization has not yet patched, you're going to want to patch or disable ECP as quickly as possible."

Incident response security firm Volexity had reported exploitation in the wild earlier this month.

However, Kenna warns that organisations aren't patching quickly enough - especially when compared to the speed with which the January Patch Tuesday updates were applied by Microsoft Exchange Server users.

It warns that less than 15 per cent of vulnerable systems have either been patched or remediated in some way, compared to more than 50 per cent at the same time following release of the January patches.

Using data on internet-facing Outlook Web Access (OWA) servers provided by BinaryEdge, Kenna found that the bulk of installs were 2016 versions, with some 74 per cent found to be ‘vulnerable' and 26 per cent ‘potentially vulnerable'.

"Yes, this vulnerability requires a first credential, but if you do some quick searching in one of the breach databases, like Dehashed or Spycloud, you'll quickly see this isn't a barrier at all. It's reasonable to assume that there's at least one working credential for any given enterprise available with minimal effort at any given time," Kenna concluded.

"Attackers are effectively one weak or leaked user password away from complete access to your organization. When combined with the external facing nature of OWA and the ECP - on by default in Exchange, this is likely to be one of the most devastating vulnerabilities of 2020."