TODAY’S PRIORITY — Patch your Microsoft Exchange Server
1 min readSep 11, 2020
The security side of Microsoft’s Patch Tuesday this week was a bit hectic with multiple critical vulnerabilities. Potentially the worst of which is a Microsoft Exchange Server vulnerability with a CVSS rating of 9.1 out of 10 which is effectively a “patch this YESTERDAY” type of vulnerability. Specifically, CVE 2020–16875 is a remote code execution type vulnerability.
Let’s break this down in plain English.
- Microsoft Exchange Server receives your organization’s emails.
- Attackers start this vulnerability by sending you a special email.
- The server picks up the email and runs whatever commands the attacker feels like.
- Remote code execution (RCE) is really bad.
- This vulnerability is even worse than a normal RCE because the server will run the commands with extra privilege.
- Attackers are weaponizing vulnerabilities faster than ever. Patch now before this is in the wild.
Note: There are already over 20 CRITICAL vulnerabilities in Microsoft products for just the month of September including another SharePoint RCE vulnerability which is rated 9.9/10 because it, per Microsoft, “fails to check the source markup of an application package.”
