CONFERENCE On Demand: Cyber AI & Automation Summit - Watch Now
Connect with us

Hi, what are you looking for?



Microsoft Says Exchange ‘Zero Days’ Disclosed by ZDI Already Patched or Not Urgent

Microsoft says four Exchange ‘zero-days’ disclosed by ZDI have either already been patched or they don’t require immediate attention.

Exchange vulnerabilities disclosed by ZDI

Microsoft says four Exchange vulnerabilities disclosed by Trend Micro’s Zero Day Initiative (ZDI) last week have either already been patched or they don’t require immediate attention.

ZDI disclosed the existence of four high-severity Exchange vulnerabilities identified by the company’s Piotr Bazydlo after being informed by Microsoft that the issues do not require immediate servicing. According to ZDI, the flaws were reported to the tech giant in early September. 

ZDI’s advisories have been published with a ‘zero-day’ status, but the vulnerabilities are not actual zero-days as there is no indication that they have been exploited in the wild and there is no public technical information or PoC code that would increase their chances of getting exploited in the near future. 

Moreover, exploiting the vulnerabilities requires authentication, which further decreases their chances of being leveraged in malicious attacks.

According to ZDI, one of the vulnerabilities, tracked as ZDI-23-1578 — CVE identifiers have yet to be assigned to these flaws — is a data deserialization issue that allows remote code execution. 

“The specific flaw exists within the ChainedSerializationBinder class. The issue results from the lack of proper validation of user-supplied data, which can result in deserialization of untrusted data. An attacker can leverage this vulnerability to execute code in the context of SYSTEM,” ZDI explained in its advisory. 

Microsoft told SecurityWeek that this vulnerability has actually been patched. Customers who have applied the August security updates are already protected, the tech giant said. 

The remaining issues have been described as server-side request forgery (SSRF) flaws that can lead to information disclosure

Advertisement. Scroll to continue reading.

For each of these security holes, Microsoft pointed out that exploitation requires prior access to email credentials. For two of the flaws, the company also noted that no evidence was presented that they can be leveraged to gain elevation of privilege or access to sensitive customer information.

“We appreciate the work of this finder submitting these issues under coordinated vulnerability disclosure, and we’re committed to taking the necessary steps to help protect customers. We’ve reviewed these reports and have found that they have either already been addressed, or do not meet the bar for immediate servicing under our severity classification guidelines and we will evaluate addressing them in future product versions and updates as appropriate,” a Microsoft spokesperson told SecurityWeek.

ZDI says in its advisories that given the nature of the vulnerabilities, “the only salient mitigation strategy is to restrict interaction with the application”.

Related: Microsoft Cloud Hack Exposed More Than Exchange, Outlook Emails

Related: Microsoft Exchange Server 2013 Reaches End of Support

Related: Microsoft Urges Customers to Patch Exchange Servers

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join us as we delve into the transformative potential of AI, predictive ChatGPT-like tools and automation to detect and defend against cyberattacks.


As cybersecurity breaches and incidents escalate, the cyber insurance ecosystem is undergoing rapid and transformational change.


Expert Insights

Related Content


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...


A researcher at IOActive discovered that home security systems from SimpliSafe are plagued by a vulnerability that allows tech savvy burglars to remotely disable...


Patch Tuesday: Microsoft calls attention to a series of zero-day remote code execution attacks hitting its Office productivity suite.


Patch Tuesday: Microsoft warns vulnerability (CVE-2023-23397) could lead to exploitation before an email is viewed in the Preview Pane.


The latest Chrome update brings patches for eight vulnerabilities, including seven reported by external researchers.