CVE-2022-23277

HIGH

Microsoft Exchange Server ChainedSerializationBinder RCE

Title source: metasploit

Exploitation Summary

EIP tracks 2 public exploits for CVE-2022-23277. PoCs published by 7BitsTeam, pwnforsp, zcgonvh, Microsoft Threat Intelligence Center, Microsoft Security Response Center, peterjson, testanull, Grant Willcox, Spencer McIntyre, Markus Wulftange, including Metasploit module exploits/windows/http/exchange_chainedserializationbinder_rce.

AI-analyzed exploit summary This is a functional PoC for CVE-2022-23277, leveraging .NET deserialization via ObjectDataProvider to achieve remote code execution. The exploit generates payloads in multiple formats (XAML, JSON, etc.) and includes variants for different attack scenarios.

Description

Microsoft Exchange Server Remote Code Execution Vulnerability

Exploits (2)

nomisec WORKING POC 9 stars

by 7BitsTeam · poc

https://github.com/7BitsTeam/CVE-2022-23277

View Code ZIP pw:eip

This is a functional PoC for CVE-2022-23277, leveraging .NET deserialization via ObjectDataProvider to achieve remote code execution. The exploit generates payloads in multiple formats (XAML, JSON, etc.) and includes variants for different attack scenarios.

Classification

Working Poc 95%

Attack Type

Rce

Complexity

Moderate

Reliability

Reliable

Target: .NET applications using ObjectDataProvider (e.g., WPF, XAML parsers)

No auth needed

Prerequisites: Vulnerable .NET application processing untrusted input · Ability to deliver crafted payload

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1559 - Inter-Process Communication

devstral-2 · analyzed Feb 16, 2026 Full analysis →

metasploit WORKING POC EXCELLENT

by pwnforsp, zcgonvh, Microsoft Threat Intelligence Center, Microsoft Security Response Center, peterjson, testanull, Grant Willcox, Spencer McIntyre, Markus Wulftange · rubypocwin

https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/windows/http/exchange_chainedserializationbinder_rce.rb

View Code ZIP pw:eip

This Metasploit module exploits CVE-2022-23277, a deserialization vulnerability in Microsoft Exchange Server, allowing remote code execution. It supports multiple payload types and targets specific vulnerable builds of Exchange Server 2016 and 2019.

Classification

Working Poc 100%

Attack Type

Rce

Complexity

Moderate

Reliability

Reliable

Target: Microsoft Exchange Server 2016 CU21, CU22; Exchange Server 2019 CU10, CU11 (pre-Mar22SU)

Auth required

Prerequisites: Valid Exchange Server credentials · Network access to the target server

MITRE ATT&CK

T1189 - Drive-by Compromise T1203 - Exploitation for Client Execution

devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (1)

Core 1

Core References

Vendor Advisory vendor-advisory

https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-23277

Scores

CVSS v3 8.8

EPSS 0.4277

EPSS Percentile 98.5%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Details

Status published

Products (3)

microsoft/exchange_server 2013 cumulative_update_23

microsoft/exchange_server 2016 cumulative_update_21 (2 CPE variants)

microsoft/exchange_server 2019 cumulative_update_10 (2 CPE variants)

Published Mar 09, 2022

Tracked Since Feb 18, 2026