Rapid7
Back to Blog
Threat Research

Rapid7 Analysis: CVE-2020-17132

Rapid7 Labs
Rapid7 Labs
|Last updated on Jun 16, 2026|2 min read

Description

On January 12, 2021, Steven Seeley (aka mr_me) published a blog post on a zero-day patch bypass for Microsoft Exchange CVE-2020-17132, a post-authentication code execution vulnerability that was itself a patch bypass for CVE-2020-16875. The patch for CVE-2020-17132 is effectively a series of six checks that are run against cmdlets passed to Exchange Server to ensure exploit attempts against CVE-2020-16875 are rejected. As described in Seeley’s blog post, this latest patch bypass allows attackers to use call operators to circumvent all mitigations applied in the patch for CVE-2020-17132; this allows attackers to execute commands with SYSTEM privileges.

There have been no reports of active exploitation at the time of writing, but an unpatched zero-day vulnerability makes a high-value target for attackers. We consider this new vulnerability to be an impending threat, and active exploitation is likely before long.

Affected products

Currently, the following supported versions of Exchange Server 2019 and 2016 are vulnerable:

  • Exchange Server 2019 (CU8 CU7)
  • Exchange Server 2016 (CU19 CU18)

Rapid7 analysis

As of January 12, 2020, both rich technical detail and proof-of-concept (PoC) code are readily available to the public, including researchers and attackers looking to build exploit chains of their own. Rapid7 researchers were able to reproduce the RCE on a vulnerable instance of Exchange Server 2016 CU19 on Windows Server 2016. Authentication presents somewhat of a barrier to exploitation, but it should not be relied upon as a long-term preventative hurdle. As we have seen with previous Exchange vulnerabilities, once attackers gain authenticated access (e.g., via phishing), the impact of exploitation is high.

Guidance

Microsoft Exchange customers who have Exchange Servers that are internet-facing should strongly consider investigating their environments for signs of compromise and suspicious activity. We also urge all defenders to ensure Exchange Server is not exposed to the internet until the appropriate patches have been released by Microsoft.

LinkedInFacebookXBluesky

Article Tags

Rapid7 Labs
Rapid7 Labs
Author Posts