Intrusion PreventionMS.Exchange.Validation.Key.ViewState.Remote.Code.Execution
Description
This indicates an attack attempt to exploit a Remote Code Execution Vulnerability in Microsoft Exchange Server.
The vulnerability is due to insecure keys. A remote attacker may be able to exploit this to execute arbitrary code within the context of the application, via a crafted HTTP request.
Outbreak Alert
A suspected Iran-linked espionage group tracked as UNC1549 is actively targeting aerospace, defense, and telecommunications organizations across Europe and other regions. The threat actor employs a combination of highly tailored spear-phishing, credential theft from third-party services, and the abuse of virtual desktop infrastructure such as Citrix, VMware, and Azure VDI to gain initial access and move laterally within target networks.
Affected Products
Microsoft Exchange Server 2013 Cumulative Update 23
Microsoft Exchange Server 2019 Cumulative Update 3
Microsoft Exchange Server 2016 Cumulative Update 14
Microsoft Exchange Server 2016 Cumulative Update 15
Microsoft Exchange Server 2019 Cumulative Update 4
Microsoft Exchange Server 2010 Service Pack 3 Update Rollup 30
Impact
System Compromise: Remote attackers can gain control of vulnerable systems.
Recommended Actions
Apply the most recent upgrade or patch from the vendor.
https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0688
Coverage
| IPS (Regular DB) | |
| IPS (Extended DB) |
Version Updates
| ID | 48765 |
| Created | Mar 02, 2020 |
| Updated | Mar 17, 2020 |
| CVE ID | |
| Tags | UNC1549 Espionage Attack Threat Signal |
| Risk |
|
| Known Exploited | Yes |
| Exploit Prediction Score | 94.4% |
| Default Action | drop |
| Active | |
| Affected OS | Windows |
| Affected App | MS_Exchange |
| Profile Type | Permission/Privilege/Access Control |