Synopsis: Reports of four Exchange server zero-day vulnerabilities are circulating. These weaknesses allow a remote, authenticated attacker to run arbitrary code and reveal sensitive information. The vulnerabilities were reported to Microsoft in September 2023. Microsoft admits knowing about them, but they have not released a fix for most of them, nor have the vulnerabilities received CVE identifiers.
While Microsoft evaluates addressing remaining vulnerabilities, a patch was released for the remote code execution in the “ChainedSerializationBinder” in August 2023. With Microsoft’s inaction to their findings, Trend Micro publicly released information about the flaws with Zero-Day Initiative numbers, or ZDIs.
None of these vulnerabilities have been actively exploited, and no public code has been released.
Recommendation: Restrict engagement with Exchange apps and enforce multi-factor authentication for added security. And keep software up to date with patches.
Related Articles:
