CVE-2020-17144

HIGH KEV

Microsoft Exchange Server - Remote Code Execution via Untrusted Data Deserialization

Title source: llm

Exploitation Summary

CVE-2020-17144 is actively exploited and listed in the CISA Known Exploited Vulnerabilities (KEV) catalog, added November 3, 2021. EIP tracks 5 public exploits from researchers including zcgonvh, Airboi, delete_user.

AI-analyzed exploit summary This exploit leverages a .NET deserialization vulnerability in Microsoft Exchange Server 2010 (CVE-2020-17144) to achieve remote code execution by crafting a malicious payload and saving it as a UserConfiguration object. The payload uses a complex chain of LINQ enumerators and reflection to trigger arbitrary code execution when deserialized.

Description

Microsoft Exchange Remote Code Execution Vulnerability

Exploits (5)

nomisec WORKING POC 159 stars

by zcgonvh · remote-auth

https://github.com/zcgonvh/CVE-2020-17144

View Code ZIP pw:eip

This exploit leverages a .NET deserialization vulnerability in Microsoft Exchange Server 2010 (CVE-2020-17144) to achieve remote code execution by crafting a malicious payload and saving it as a UserConfiguration object. The payload uses a complex chain of LINQ enumerators and reflection to trigger arbitrary code execution when deserialized.

Classification

Working Poc 95%

Attack Type

Rce

Complexity

Complex

Reliability

Reliable

Target: Microsoft Exchange Server 2010

Auth required

Prerequisites: Valid credentials for Exchange Server · Network access to the Exchange Server · A malicious DLL (e.dll) to be loaded

MITRE ATT&CK

T1189 - Drive-by Compromise T1203 - Exploitation for Client Execution

devstral-2 · analyzed Feb 16, 2026 Full analysis →

nomisec WORKING POC 157 stars

by Airboi · remote-auth

https://github.com/Airboi/CVE-2020-17144-EXP

View Code ZIP pw:eip

This is a functional exploit for CVE-2020-17144, targeting Microsoft Exchange Server via deserialization. It leverages ysoserial.net to generate a malicious payload that writes a webshell to the Exchange Server's autodiscover directory.

Classification

Working Poc 95%

Attack Type

Rce

Complexity

Moderate

Reliability

Reliable

Target: Microsoft Exchange Server (likely 2010, given the EWS endpoint)

Auth required

Prerequisites: Valid credentials for the target Exchange Server · Network access to the EWS endpoint · .NET environment for compilation

MITRE ATT&CK

T1189 - Drive-by Compromise T1190 - Exploit Public-Facing Application T1203 - Exploitation for Client Execution

devstral-2 · analyzed Feb 16, 2026 Full analysis →

patchapalooza WORKING POC

by delete_user · poc

https://gitee.com/delete_user/CVE-2020-17144-EXP

View Code ZIP pw:eip

This repository contains a functional exploit for CVE-2020-17144, leveraging a .NET deserialization vulnerability in Exchange Server 2010. The exploit uses ysoserial.net to generate a malicious payload that achieves remote code execution by exploiting the BinaryFormatter deserialization chain.

Classification

Working Poc 95%

Attack Type

Deserialization

Complexity

Moderate

Reliability

Reliable

Target: Microsoft Exchange Server 2010

Auth required

Prerequisites: valid Exchange 2010 credentials · network access to the target server

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1059 - Command and Scripting Interpreter

devstral-2 · analyzed Feb 23, 2026 Full analysis →

patchapalooza WORKING POC

by delete_user · poc

https://gitee.com/delete_user/CVE-2020-17144

View Code ZIP pw:eip

This repository contains a functional exploit for CVE-2020-17144, a deserialization vulnerability in Microsoft Exchange 2010. The exploit leverages unsafe deserialization in the MRM.AutoTag.Model component to achieve remote code execution by creating a malicious UserConfiguration object.

Classification

Working Poc 95%

Attack Type

Rce

Complexity

Moderate

Reliability

Reliable

Target: Microsoft Exchange 2010

Auth required

Prerequisites: valid credentials for the target Exchange server · .NET Framework 3.5

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1059 - Command and Scripting Interpreter T1203 - Exploitation for Client Execution

devstral-2 · analyzed Feb 23, 2026 Full analysis →

patchapalooza WORKING POC

by h1d3r · poc

https://gitee.com/h1d3r/CVE-2020-17144

View Code ZIP pw:eip

This repository contains a functional exploit for CVE-2020-17144, a Microsoft Exchange 2010 MRM.AutoTag.Model unsafe deserialization vulnerability. The exploit leverages a crafted payload to achieve remote code execution by creating a malicious UserConfiguration object.

Classification

Working Poc 95%

Attack Type

Rce

Complexity

Moderate

Reliability

Reliable

Target: Microsoft Exchange 2010

Auth required

Prerequisites: valid credentials for the target Exchange server · .NET Framework 3.5

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1059 - Command and Scripting Interpreter T1203 - Exploitation for Client Execution

devstral-2 · analyzed Feb 23, 2026 Full analysis →

References (3)

Core 3

Core References

Patch, Vendor Advisory vendor-advisory patch

https://msrc.microsoft.com/update-guide/vulnerability/CVE-2020-17144

Patch, Vendor Advisory

https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-17144

US Government Resource

https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2020-17144

Scores

CVSS v3 8.4

EPSS 0.3665

EPSS Percentile 98.3%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:H/I:H/A:H

CISA SSVC

Vulnrichment

Exploitation active

Automatable yes

Technical Impact total

Details

CISA KEV 2021-11-03

VulnCheck KEV 2021-11-03

InTheWild.io 2021-07-23

ENISA EUVD EUVD-2020-9098

CWE

CWE-502

Status published

Products (2)

microsoft/exchange_server 2010 sp3_rollup_31

Microsoft/Microsoft Exchange Server 2010 Service Pack 3 Update Rollup 31 < publication

Published Dec 10, 2020

KEV Added Nov 03, 2021

Tracked Since Feb 18, 2026