Attacker Value
(1 user assessed)
(1 user assessed)
User Interaction
Privileges Required
Attack Vector


Add MITRE ATT&CK tactics and techniques that apply to this CVE.


Microsoft Exchange Server Remote Code Execution Vulnerability. This CVE ID is unique from CVE-2022-21855, CVE-2022-21969.

Add Assessment

Technical Analysis

Huh so this one is a bit of a doozy. On the one hand we have Microsoft Exchange Server, which, unless you have been living under a rock, has been exploited many times in the past, as evidenced here, here, and here. Basically Microsoft Exchange Server has a giant target on its back and attackers are all too happy to exploit it given any opportunity to do so.

What makes this bug interesting though is that unlike most of the other vulnerabilities which were exploitable remotely, this one not only requires authentication, but also requires local network access of some type. Its also interesting to note that the Scope section of Microsoft’s advisory is marked as Changed, which they take as meaning An exploited vulnerability can affect resources beyond the security scope managed by the security authority of the vulnerable component. In this case, the vulnerable component and the impacted component are different and managed by different security authorities..

This raises a few questions as it seems to suggest that the initial component used to exploit the vulnerability exists in one security context separate from the Exchange Server security context, which when combined with the Adjacent factor, suggests a rather unusual way of exploiting this vulnerability via some local access, presumably though some component with a different security boundary, which then interacts with the Exchange Server.

Exploitation is however listed as easy and the bug does give you high level permissions on the Exchange Server, so I can see this as being useful for internal attacks once an attacker has gotten initial access into a network. As per usual, it is always advisable to assume that your network has been compromised when considering what to patch; I have personally seen that its often the little vulnerabilities that were ignored instead of being patched combined together that can lead to some of the most unexpected and dangerous impacts to companies.

Overall I’d say this is likely lower on your patch list than other RCE bugs, however given the impact and number of previous exploits for this target, I’d still recommend patching this as soon as possible, presumably once all your RCE bugs have been patched.

General Information


  • Microsoft


  • Microsoft Exchange Server 2016 Cumulative Update 22,
  • Microsoft Exchange Server 2019 Cumulative Update 11,
  • Microsoft Exchange Server 2013,
  • Microsoft Exchange Server 2016 Cumulative Update 21,
  • Microsoft Exchange Server 2019 Cumulative Update 10

Additional Info

Technical Analysis