Microsoft Exchange Zero-day Vulnerabilities

Risk: HIGH
Severity: HIGH 

WTS is bringing attention towards multiple emerging Microsoft Exchange Zero Day vulnerabilities which have been confirmed as being exploited. The Zero Days currently have no proof of concepts available and has not been assigned any CVE numbers as of yet. The SOC team will be closely monitoring the situation until a patch is available and will send out new information as it becomes available. These vulnerabilities have been reported to Microsoft and currently are tracked under ZDI-CAN18333 and ZDI-CAN18802.

If there are any concerns or questions please reach out to the SOC team.

Vendor: Microsoft

Microsoft Exchange zero-day (CVE Not Available Yet) (CVSS TBD)


Available information points to one of this being a remote code execution vulnerability.

Attack Vector:

The exploit works in two stages:

 Severity: High

Versions Affected:

  • All on premise Microsoft Exchange servers



Until Microsoft releases security updates to address the two zero-days, GTSC shared temporary mitigation that would block attack attempts by adding a new IIS server rule using the URL Rewrite Rule module:

  • In Autodiscover at FrontEnd, select tab URL Rewrite, and then Request Blocking.
  • Add string “.*autodiscover\.json.*\@.*Powershell.*“ to the URL Path.
  • Condition input: Choose {REQUEST_URI}

Checking for Compromise

Admins who want to check if their Exchange servers have already been compromised using this exploit can run the following PowerShell command to scan IIS log files for indicators of compromise:

  • Get-ChildItem -Recurse -Path <Path_IIS_Logs> -Filter "*.log" | Select-String -Pattern 'powershell.*autodiscover\.json.*\@.*200'

Reported Webshell Paths

  • C:\ProgramFiles\Microsoft\Exchange Server\V15\FrontEnd\HttpProxy\owa\auth\RedirSuiteServiceProxy.aspx
  • C:\inetpub\wwwroot\aspnet_client\Xml.ashx
  • C:\ProgramFiles\Microsoft\Exchange Server\V15\FrontEnd\HttpProxy\owa\auth\pxh4HG1v.ashx

Published on  and maintained in Cascade.