Cyber Resilience

CVE-2023-21761

High

Published: 10 January 2023

Published
10 January 2023
Modified
21 November 2024
KEV Added
Patch
CVSS Score v3.1 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
EPSS Score 0.1307 94.3th percentile
Risk Priority 23 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2023-21761 is a high-severity SSRF (CWE-918) vulnerability in Microsoft Exchange Server. Its CVSS base score is 7.5 (High).

Operationally, ranked in the top 5.7% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

Deeper analysis

CVE-2023-21761 is an information disclosure vulnerability in Microsoft Exchange Server, assigned a CVSS 3.1 base score of 7.5. The flaw is reachable over the network without authentication or user interaction and results in high confidentiality impact while leaving integrity and availability unaffected. It is tracked under CWE-918, indicating a server-side request forgery class issue.

An unauthenticated attacker can send crafted requests to an affected Exchange Server and obtain sensitive information that would otherwise be inaccessible. Because the attack requires no credentials and can be performed remotely, the vulnerability is exploitable by any party able to reach the server on the network.

Microsoft has published an advisory for CVE-2023-21761 that directs administrators to the corresponding security update. The EPSS score for this CVE has remained flat at 0.1307 since disclosure, indicating no material increase in observed exploitation interest.

EU & UK References

Vulnerability details

Microsoft Exchange Server Information Disclosure Vulnerability

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

microsoft
exchange server
2016, 2019

Mitigating Controls

Likely Mitigating Controls AI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

addresses: CWE-918

Penetration testing attempts server-side requests to internal resources, identifying SSRF weaknesses for remediation.

addresses: CWE-918

Outbound connections to external resources can be monitored and limited at the boundary, reducing SSRF impact.

addresses: CWE-918

Validates server-side URLs and resource references to block SSRF attempts.

addresses: CWE-918

Detects server-side request forgery through monitoring of unexpected outbound connections.

References