Microsoft Exchange Servers are still a crucial backbone for many organizations, handling email and communication worldwide. In recent years, these servers have become frequent targets for attackers — and one of the latest and most serious flaws is CVE-2023-36745.
This post breaks down CVE-2023-36745 in plain American language. We’ll look into how the exploit works, show some code snippets for understanding, and share useful links. Whether you're a sysadmin, red teamer, or someone looking to patch your business, this is the guide for you.
What Is CVE-2023-36745?
CVE-2023-36745 is a remote code execution (RCE) vulnerability in Microsoft Exchange Server. Discovered and patched in September 2023's Patch Tuesday, it's ranked as High with a CVSS score of 8..
In simple terms: If you're running a vulnerable version, a remote attacker could execute their own code — with system-level rights — just by sending crafted requests, no login required.
Microsoft Exchange Server 2019 Cumulative Update 12, 13
You can find Microsoft’s official advisory here:
Microsoft CVE-2023-36745 Official Advisory
How Does the Exploit Work?
The flaw appears in how Exchange handles deserialization of data in the Outlook Web Access (OWA) and Exchange Control Panel (ECP) components. Deserialization bugs occur when the server "reads and trusts" unsafe user input and treats it like real code.
If crafted right, a malicious attacker can sneak in commands inside their request data that trick Exchange into running them.
Attacker crafts a malicious HTTP POST request to the Exchange server's OWA or ECP endpoint.
2. They use a publicly reachable endpoint (like /owa/ or /ecp/).
Exploit Details: Simplified Code Example
> WARNING: This is for educational purposes only. Do not use on systems without explicit permission.
A real exploit would require crafting specific serialized .NET data. Luckily (or unluckily), open source tools like ysoserial.net make it simple to generate payloads.
Example attack with PowerShell and ysoserial.net
# Step 1: Generate malicious payload
ysoserial.exe -g TypeConfuseDelegate -f BinaryFormatter -o raw -c "cmd /c calc.exe" > payload.bin
# Step 2: Send HTTP POST with payload to Exchange endpoint
Invoke-WebRequest -Uri "https://victim-exchange-server/ecp/default.flt"; `
-Method POST `
-Body ([System.IO.File]::ReadAllBytes("payload.bin")) `
-ContentType "application/octet-stream"
The above script tells the server to pop Calculator. In a real-world attack, it could download and execute malware instead.
> ysoserial.net: https://github.com/pwntester/ysoserial.net
## Proof-of-Concept/Exploits in the Wild
While Microsoft didn't release a PoC, researchers have shared technical breakdowns
- Trend Micro's Egregor Blog
- Huntress Breakdown
Several security firms detected exploitation attempts just days after disclosure.
Mitigation & Patching Steps
1. Patch Immediately:
Update Exchange servers to the latest Cumulative or Security Update.
Microsoft Update Guide for Exchange
2. Block Unnecessary Access:
Don't expose Exchange endpoints (like /owa/ and /ecp/) to the Internet, if possible.
3. Monitor Logs:
Look for unusual POST requests or PowerShell spawns from IIS Worker processes.
4. Use EDR:
Endpoint Detection & Response tools should be watching for things like cmd.exe or powershell.exe running under Exchange's process.
In Summary
CVE-2023-36745 is a big deal:
It lets attackers remotely run any command on vulnerable Microsoft Exchange servers — even if no one is logged in.
What you should do now: Patch your Exchange servers, review firewall rules, and comb through logs for unusual activity. Delay could mean compromise.
Further reading:
- Microsoft Security Advisory
- Rapid7 Technical Analysis
- Exploit Details – PortSwigger
Timeline
Published on: 09/12/2023 17:15:10 UTC
Last modified on: 09/15/2023 16:28:24 UTC