Microsoft — CVE-2020-0688
tl;dr – Send or receive email and get RCE on Exchange Servers… yikes. All Exchange Servers installations in the world share a crypto-key.
This update resolves a flaw in Exchange Server versions 2010 to 2019 where just by sending or receiving a specially crafted email can cause the Exchange Server to execute malicious code. During install, the Exchange installation fails to create unique crypto-deserialization keys. While currently rated as Important, attackers will work on reverse-engineering the patch to identify and develop exploits. Any Exchange Servers created all share the same crypto key until patched.
Note: Unsupported End of Life old versions of the software may also be affected, even though those versions are not listed.
Leave a Reply