Security News > 2020 > March > Organizations Slow to Patch Targeted Microsoft Exchange Vulnerability

Organizations have fallen behind with the patching of a Microsoft Exchange Server vulnerability addressed with Microsoft's February 2020 Patch Day updates and already targeted in attacks.
The issue, which exists because keys created at installation are not unique, is tracked as CVE-2020-0688 and impacts Microsoft Exchange 2010, 2013, 2016, and 2019.
Last week, security researchers warned that attacks targeting vulnerable Exchange Servers started ramping up, but the first scans for the vulnerability were observed several weeks back, after researchers with the Zero Day Initiative published additional details on it and on how it can be exploited.
Kenna Security reveals that companies are very slow in addressing the issue, although it could essentially lead to the compromise of their Active Directory.
Given that exploitation of this vulnerability is rather simple, as is obtaining credentials required for that, the security firm encourages organizations to apply the available patches as soon as possible, or at least block access to ECP. "In most Microsoft-centric organizations, Exchange is a critical organization service, and thus, may be off-limits for normal monthly patching schedules. This fact, combined with the fact that the vulnerability exposes SYSTEM access on the server, and the fact that exchange stores credentials in memory in plain text, make this an incredibly attractive target," Kenna Security notes.
News URL
Related news
- Microsoft February 2025 Patch Tuesday fixes 4 zero-days, 55 flaws (source)
- February's Patch Tuesday sees Microsoft offer just 63 fixes (source)
- Microsoft’s Patch Tuesday Fixes 63 Flaws, Including Two Under Active Exploitation (source)
- Patch Tuesday: Microsoft Patches Two Actively Exploited Zero-Day Flaws (source)
- Microsoft Patches Actively Exploited Power Pages Privilege Escalation Vulnerability (source)
- Microsoft's End of Support for Exchange 2016 and 2019: What IT Teams Must Do Now (source)
- MITRE Caldera RCE vulnerability with public PoC fixed, patch ASAP! (CVE-2025–27364) (source)
- Microsoft March 2025 Patch Tuesday fixes 7 zero-days, 57 flaws (source)
- Apple Releases Patch for WebKit Zero-Day Vulnerability Exploited in Targeted Attacks (source)
- Patch Tuesday: Microsoft Fixes 57 Security Flaws – Including Active Zero-Days (source)
Related Vulnerability
DATE | CVE | VULNERABILITY TITLE | RISK |
---|---|---|---|
2020-02-11 | CVE-2020-0688 | Improper Authentication vulnerability in Microsoft Exchange Server A remote code execution vulnerability exists in Microsoft Exchange software when the software fails to properly handle objects in memory, aka 'Microsoft Exchange Memory Corruption Vulnerability'. | 8.8 |