Microsoft has released a patch to a remote code execution vulnerability in Exchange server which is being actively targeted.
CVE-2020-0688 is a flaw in the installation procedure resulting in all Exchange Servers using the same cryptographic keys for ASP.NET ViewState data. A detailed write-up by the Zero Day Initiative demonstrates the flaw in action.
In summary: the vulnerability allows any authenticated user to pass arbitrary objects in a HTTP request to be deserialised by the Exchange Control Panel process – which runs as the SYSTEM user. The object could be a data file or an executable .NET program.
Security researchers at the Bad Packets Report detected mass scanning taking place since 25thFebruary 2020 which is actively targeting this exploit.
By taking advantage of a previous data leak or using credential stuffing, attackers who are able to login to any account in the Outlook Web portal are then able to fully compromise the Exchange Server.