Main Vulnerability Database Vulnerabilities #VU22681

Deserialization of Untrusted Data in Microsoft Exchange Server - CVE-2019-1373

Published: November 12, 2019

Vulnerability identifier: #VU22681

CSH Severity: Medium

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Green

CVE-ID: CVE-2019-1373

CWE-ID: CWE-502

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vendor: Microsoft

Affected software:
Microsoft Exchange Server

Detailed vulnerability description

The vulnerability allows a remote user to execute arbitrary code on the target system.

The vulnerability exists due to insecure input validation when processing serialized metadata via PowerShell. A remote user can run a specially crafted cmdlets via PowerShell and execute arbitrary code in context of the logged in user

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.

How to mitigate CVE-2019-1373

Install updates from vendor's website.

Sources

https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-1373

Deserialization of Untrusted Data in Microsoft Exchange Server - CVE-2019-1373

Detailed vulnerability description

How to mitigate CVE-2019-1373

Sources

Please verify you're human