9
CVSSv2

CVE-2020-16875

Published: 11/09/2020 Updated: 17/09/2020
CVSS v2 Base Score: 9 | Impact Score: 10 | Exploitability Score: 8
CVSS v3 Base Score: 7.2 | Impact Score: 5.9 | Exploitability Score: 1.2
Vector: AV:N/AC:L/Au:S/C:C/I:C/A:C

Vulnerability Summary

Microsoft Exchange could allow a remote malicious user to execute arbitrary code on the system, caused by improper handling of objects in memory. By persuading a victim to open specially-crafted content, an attacker could exploit this vulnerability to execute arbitrary code on the system with privileges of the victim.

Vulnerability Trend

Mailing Lists

This vulnerability allows remote attackers to execute arbitrary code on affected installations of Exchange Server Authentication is required to exploit this vulnerability Additionally, the target user must have the "Data Loss Prevention" role assigned and an active mailbox If the user is in the "Compliance Management" or greater "Organization Ma ...

Recent Articles

Microsoft’s Patch Tuesday Packed with Critical RCE Bugs
Threatpost • Tara Seals • 08 Sep 2020

Microsoft has released patches for 129 security bugs in its September Patch Tuesday update. These include 23 critical flaws, 105 that are important in severity and one moderate bug. Fortunately, none are publicly known or under active exploitation, Microsoft said.
The most severe issue in the bunch is CVE-2020-16875, according to researchers. This is a memory-corruption problem in Microsoft Exchange that allows remote code-execution (RCE) just by sending an email to a target. Running arbit...

The Register

A nightmare flaw for Exchange Server headlines this month's Patch Tuesday lineup from Microsoft and others.
September sees a bundle of 129 CVE-listed flaws patched by Microsoft. The vast majority of those, 105 in total, are classified as 'important' risks. Another 23 are considered critical bugs, and one is listed as moderate.
None of the bugs have public exploit code or in-the-wild attacks yet.
Of the nearly two-dozen critical patches, Zero Day Initiative's Dustin Childs says ...