Main Vulnerability Database Vulnerabilities #VU25227

Permissions, Privileges, and Access Controls in Microsoft Exchange Server - CVE-2020-0692

Published: February 11, 2020

Vulnerability identifier: #VU25227

CSH Severity: Medium

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Green

CVE-ID: CVE-2020-0692

CWE-ID: CWE-264

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vendor: Microsoft

Affected software:
Microsoft Exchange Server

Detailed vulnerability description

The vulnerability allows a remote attacker to escalate privileges on the system.

The vulnerability exists due to uspecified error in Microsoft Exchange Server. Exploitation of this vulnerability requires Exchange Web Services (EWS) to be enabled and in use in an affected environment. A remote attacker can change parameters in the Security Access Token, forward it to a Microsoft Exchange Server and impersonate an another Exchange user.

How to mitigate CVE-2020-0692

Install updates from vendor's website.

Sources

https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0692

Permissions, Privileges, and Access Controls in Microsoft Exchange Server - CVE-2020-0692

Detailed vulnerability description

How to mitigate CVE-2020-0692

Sources

Please verify you're human