CVE-2023-36439: Critical Exchange Vulnerability Threatens 63,000 Servers

In a worrying development for organizations still running Microsoft Exchange Server, over 63,000 servers remain vulnerable to a critical remote code execution (RCE) vulnerability, despite being patched by Microsoft in November 2023. This vulnerability, known as CVE-2023-36439, allows authenticated attackers to gain complete control of affected servers, posing a significant security risk.

The Shadowserver Foundation, a non-profit organization dedicated to improving internet security, discovered the widespread exposure of vulnerable Exchange servers through an analysis of version information (the servers’ x_owa_version header). This troubling finding underscores the importance of timely patching and vulnerability management practices.

We are reporting Microsoft Exchange Server CVE-2023-36439 vulnerable IPs (post-auth RCE). Over 63K vulnerable worldwide. Patch released Nov 14th – https://t.co/pBGFiK2uSD

IP data for your constituency in https://t.co/ApcM9HwiOK

Dashboard tracker – https://t.co/MIDRauQ7SQ pic.twitter.com/uNB6oNS7s1

— Shadowserver (@Shadowserver) November 16, 2023

CVE-2023-36439 affects Exchange Server 2016 and 2019, and its severity is reflected in its CVSS score of 8.0. Successful exploitation of this vulnerability could allow attackers to install malicious software, steal sensitive data, or disrupt critical business operations.

While the vulnerability requires an attacker to be authenticated as a valid Exchange user, this hurdle can be easily overcome through social engineering tactics such as phishing emails. Once attackers have gained access, they can exploit CVE-2023-36439 to escalate their privileges and gain complete control of the affected server.

Kevin Breen, senior director of threat research at Immersive Labs, emphasizes the urgency of addressing this vulnerability and its associated risks: “Organizations running Microsoft Exchange Server should prioritize several new Exchange patches, including CVE-2023-36439. This weakness technically requires the attacker to be authenticated to the target’s local network, but a pair of phished Exchange credentials will provide that access nicely.“

In addition to CVE-2023-36439, Breen highlights three other Exchange bugs that Microsoft has designated as “exploitation more likely“: CVE-2023-36050, CVE-2023-36039, and CVE-2023-36035. Organizations should prioritize patching these vulnerabilities as well to minimize their attack surface.

The widespread exposure of unpatched Exchange servers underscores the importance of maintaining a robust cybersecurity posture. Organizations should implement a comprehensive vulnerability management program that includes regular scanning, patching, and awareness training to minimize their risk of falling victim to cyberattacks.