Company

ABOUT ESENTIRE

eSentire is The Authority in Managed Detection and Response Services, protecting the critical data and applications of 2000+ organizations in 80+ countries from known and unknown cyber threats. Founded in 2001, the company’s mission is to hunt, investigate and stop cyber threats before they become business disrupting events.

About Us →

Leadership →

Careers →

Event Calendar →

Newsroom →

Aston Villa Football Club →

EVENT CALENDAR

May

May TRU Intelligence Briefing

May

Elevate IT Technology Summit Kansas City

May

Cybersecurity Summit Toronto

May

Cybersec Brussels

May

Cybersecurity Summit Austin

View Calendar →

LATEST PRESS RELEASE

Mar 06, 2025

eSentire Unleashes AI-Driven Atlas Nexus Network, Empowering Cybersecurity Partners to Build Differentiated Security Services at Scale

View Newsroom →

OUR PARTNERSHIPS

Aston Villa Football Club

AVFC takes its cyber protection to the Next Level with eSentire as its official cybersecurity partner.

Learn More

Speak With A Security Expert Now

TALK TO AN EXPERT

THE THREAT

On September 10th, researcher Steven Seeley publicly released Proof-of-Concept (PoC) code for a critical remote code execution vulnerability he discovered affecting Microsoft Exchange Servers 2016 and 2019 (CVE-2020-16875). This vulnerability was originally announced by Microsoft on September 8th [1]. Successful exploitation would result in execution of arbitrary code in the context of the SYSTEM user, allowing an attacker to view, change, and delete data, or create new accounts on the impacted system.

In order to exploit this vulnerability, an attacker would require credentials belonging to accounts in a specific Exchange role. Although eSentire assesses that widespread exploitation of this vulnerability remains unlikely, affected organizations are advised to prioritize applying the relevant patches to remediate this threat as part of a defense in depth strategy.

What we’re doing about it

MVS has a local plugin to identify this vulnerability

What you should do about it

Test and apply recommended updates from Microsoft as soon as possible
Audit users with “Data Loss Prevention" role assigned
Restrict access to Exchange Control Panel from untrusted networks

Additional information

Steven Seeley (mr_me), the researcher who disclosed the vulnerability to Microsoft, authored two PoC exploits for the vulnerability. An advisory was posted on the srcincite.io website on September 10th, 2020, containing the PoCs and additional information on the vulnerability [2]. According to the advisory, the “flaw exists within the processing of the New-DlpPolicy cmdlet. The issue results from the lack of proper validation of user-supplied template data when creating a dlp policy”. Mr. Seeley also confirms that credentials belonging to a user with a specific Exchange role (DLP Role) are required to successfully exploit this vulnerability.

Requirements for exploitation for both PoC exploits:

PowerShell PoC Exploit

Requires authentication
Credentials must belong to account with “Data Loss Prevention" role assigned
PowerShell Remoting possible to vulnerable Exchange server

Python PoC Exploit

Requires authentication
Credentials must belong to account with “Data Loss Prevention" role assigned
Active mailbox for account
Access to Exchange Control Panel (ECP)
- According to Microsoft the ECP is not configured with an external URL by default [3]

Given the above conditions for successful exploitation, eSentire assesses that widespread exploitation of this vulnerability is unlikely. The vulnerability is more likely to be exploited post-compromise, as part of an ongoing intrusion where an attacker has obtained the necessary requirements for exploitation.

References:

[1] https://portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2020-16875

[2] https://srcincite.io/advisories/src-2020-0019/

[3] https://docs.microsoft.com/en-us/exchange/architecture/client-access/exchange-admin-center?view=exchserver-2019

ESENTIRE SERVICES

Managed Detection and Response

All-In-One MDR Solution →

MDR for Microsoft →

MDR for GenAI →

Digital Forensics and Incident Response

Continuous Threat Exposure Management (CTEM)

PLATFORM, PEOPLE AND RESPONSE

Security Operations Center (SOC)

Extended Detection and Response (XDR)

Technology Integrations

Threat Response Unit (TRU)

Cyber Resilience Team

Response and Remediation

MDR Packages and 24/7 Protection

MDR Pricing and Packages

Atlas Essentials

Atlas Advanced

Atlas Complete

24/7 Coverage

Endpoint

Network

Log

Cloud

Identity

INDUSTRIES

Insurance

Construction

Finance

Legal

Manufacturing

Private Equity

Healthcare

Retail

Food Supply

Government and Education

Automotive Dealerships

USE CASES

Ransomware

Cybersecurity Compliance

Zero Day Attacks

Cloud Misconfiguration

Third-Party Risk

Do More With Less

Cyber Risk

Cyber Insurance

Sensitive Data Security

Security Leadership

Cyber Threat Intelligence

From The Blog

Unlocking New Possibilities for Network Monitoring and Security with…

Sock(et) Puppet: How RansomHub Affiliates Pull the Strings

Phish & Chips: Serving Up Tycoon 2FA’s Secrets

Resources

Case Studies

TRU Intelligence Center

Cybersecurity Tools

Videos

Reports

Webinars

Data Sheets

Real vs. Fake MDR

Compare MDR Vendors

Blogs

Security Advisories

SECURITY ADVISORIES

Maximum Severity SAP Vulnerability Exploited

CrushFTP Authentication Bypass