CVE-2020-17132

CRITICAL

Microsoft Exchange Server - Remote Code Execution

Title source: llm

Exploitation Summary

EIP tracks 1 public exploit for CVE-2020-17132. PoCs published by Leonard Rapp, Markus Vervier, Steven Seeley, Yasar Klawohn, wvu, Spencer McIntyre, including Metasploit module exploits/windows/http/exchange_ecp_dlp_policy.

AI-analyzed exploit summary This Metasploit module exploits CVE-2020-16875, a vulnerability in Microsoft Exchange Server's DLP policy creation functionality, allowing authenticated attackers with the 'Data Loss Prevention' role to execute arbitrary code as SYSTEM.

Description

Microsoft Exchange Remote Code Execution Vulnerability

Exploits (1)

metasploit WORKING POC EXCELLENT

by Leonard Rapp, Markus Vervier, Steven Seeley, Yasar Klawohn, wvu, Spencer McIntyre · rubypocwin

https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/windows/http/exchange_ecp_dlp_policy.rb

View Code ZIP pw:eip

This Metasploit module exploits CVE-2020-16875, a vulnerability in Microsoft Exchange Server's DLP policy creation functionality, allowing authenticated attackers with the 'Data Loss Prevention' role to execute arbitrary code as SYSTEM.

Classification

Working Poc 100%

Attack Type

Rce

Complexity

Moderate

Reliability

Reliable

Target: Microsoft Exchange Server 2016 CU19 and 2019 CU8

Auth required

Prerequisites: Valid OWA credentials · User must have the 'Data Loss Prevention' role · Active mailbox

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1068 - Exploitation for Privilege Escalation

devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (2)

Core 2

Core References

Vendor Advisory vendor-advisory patch

https://msrc.microsoft.com/update-guide/vulnerability/CVE-2020-17132

Patch, Vendor Advisory

https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-17132

Scores

CVSS v3 9.1

EPSS 0.8952

EPSS Percentile 99.8%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H

Details

Status published

Products (8)

microsoft/exchange_server 2013 cumulative_update_23

microsoft/exchange_server 2016 cumulative_update_17 (2 CPE variants)

microsoft/exchange_server 2019 cumulative_update_6 (2 CPE variants)

Microsoft/Microsoft Exchange Server 2013 Cumulative Update 23 15.00.0 - publication

Microsoft/Microsoft Exchange Server 2016 Cumulative Update 17 15.01.0 - publication

Microsoft/Microsoft Exchange Server 2016 Cumulative Update 18 15.01.0 - publication

Microsoft/Microsoft Exchange Server 2019 Cumulative Update 6 15.02.0 - publication

Microsoft/Microsoft Exchange Server 2019 Cumulative Update 7 15.02.0 - publication

Published Dec 10, 2020

Tracked Since Feb 18, 2026