CVE-2020-17144 – CVE-2020-17144 is a remote code execution vulne... (How to Fix)

Q: What is the severity of CVE-2020-17144?

CVE-2020-17144 has a CVSS score of 8.4 (HIGH). CVE-2020-17144 is a remote code execution vulnerability in Microsoft Exchange Server that allows authenticated attackers to execute arbitrary code on affected systems. It affects organizations running vulnerable versions of Exchange Server, potentially enabling attackers to take full control of email servers and access sensitive communications.

📋 TL;DR

CVE-2020-17144 is a remote code execution vulnerability in Microsoft Exchange Server that allows authenticated attackers to execute arbitrary code on affected systems. It affects organizations running vulnerable versions of Exchange Server, potentially enabling attackers to take full control of email servers and access sensitive communications.

💻 Affected Systems

Products:

Microsoft Exchange Server

Versions: Exchange Server 2010, 2013, 2016, 2019

Operating Systems: Windows Server

Default Config Vulnerable: ⚠️ Yes

Notes: Affects all supported versions of Exchange Server. Requires attacker to be authenticated to Exchange Server.

📦 What is this software?

Exchange Server by Microsoft

View all CVEs affecting Exchange Server →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete compromise of Exchange Server leading to data exfiltration, installation of persistent backdoors, lateral movement to other systems, and disruption of email services.

🟠

Likely Case

Attackers gain administrative control over Exchange Server, allowing them to read all emails, impersonate users, and use the server as a foothold for further network attacks.

🟢

If Mitigated

Limited impact due to network segmentation, strong authentication controls, and monitoring that detects exploitation attempts before successful compromise.

🌐 Internet-Facing: HIGH - Exchange servers are typically internet-facing for email access, making them prime targets for exploitation.

🏢 Internal Only: MEDIUM - Internal attackers or compromised accounts could exploit this vulnerability, but requires authentication.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: CONFIRMED

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires valid Exchange credentials. Has been actively exploited in the wild by threat actors.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Security updates for Exchange Server 2010 SP3, 2013 CU23, 2016 CU19, 2019 CU8

Vendor Advisory: https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-17144

Restart Required: Yes

Instructions:

1. Download appropriate security update from Microsoft Update Catalog. 2. Apply update to all Exchange servers. 3. Restart Exchange services. 4. Test functionality.

🔧 Temporary Workarounds

Restrict Exchange authentication

windows

Limit which users can authenticate to Exchange Server and implement strong authentication controls

Network segmentation

all

Place Exchange servers in segmented network zones with strict firewall rules limiting access

🧯 If You Can't Patch

Implement strict network segmentation and firewall rules to limit Exchange server access
Enable detailed logging and monitoring for Exchange authentication and PowerShell usage

🔍 How to Verify

Check if Vulnerable:

Check Exchange Server version and compare with patched versions. Vulnerable if running Exchange 2010 SP3, 2013 CU23, 2016 CU19, 2019 CU8 or earlier.

Check Version:

Get-ExchangeServer | Format-List Name, Edition, AdminDisplayVersion

Verify Fix Applied:

Verify Exchange Server version matches patched versions and check Windows Update history for security update KB4593465 or later.

📡 Detection & Monitoring

Log Indicators:

Unusual PowerShell execution on Exchange servers
Suspicious authentication patterns
Unexpected process creation on Exchange servers

Network Indicators:

Unusual outbound connections from Exchange servers
Suspicious PowerShell remoting traffic

SIEM Query:

source="exchange_logs" AND (event_id=4625 OR event_id=4688) AND process_name="powershell.exe"

📊 Metadata

CVE ID: CVE-2020-17144

CVSS v3 Score: 8.4 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:H/I:H/A:H

CWE: CWE-502

Published: December 10, 2020

Last Updated: October 29, 2025

🔗 References

https://msrc.microsoft.com/update-guide/vulnerability/CVE-2020-17144 Patch,Vendor Advisory
https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-17144 Patch,Vendor Advisory
https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2020-17144 US Government Resource

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2020-17144, you might also want to check these: