CVE-2023-21761
Published: 10 January 2023
Summary
CVE-2023-21761 is a high-severity SSRF (CWE-918) vulnerability in Microsoft Exchange Server. Its CVSS base score is 7.5 (High).
Operationally, ranked in the top 5.7% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
Deeper analysis
CVE-2023-21761 is an information disclosure vulnerability in Microsoft Exchange Server, assigned a CVSS 3.1 base score of 7.5. The flaw is reachable over the network without authentication or user interaction and results in high confidentiality impact while leaving integrity and availability unaffected. It is tracked under CWE-918, indicating a server-side request forgery class issue.
An unauthenticated attacker can send crafted requests to an affected Exchange Server and obtain sensitive information that would otherwise be inaccessible. Because the attack requires no credentials and can be performed remotely, the vulnerability is exploitable by any party able to reach the server on the network.
Microsoft has published an advisory for CVE-2023-21761 that directs administrators to the corresponding security update. The EPSS score for this CVE has remained flat at 0.1307 since disclosure, indicating no material increase in observed exploitation interest.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2023-25928
Vulnerability details
Microsoft Exchange Server Information Disclosure Vulnerability
- CWE(s)
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Likely Mitigating Controls AI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.
Penetration testing attempts server-side requests to internal resources, identifying SSRF weaknesses for remediation.
Outbound connections to external resources can be monitored and limited at the boundary, reducing SSRF impact.
Validates server-side URLs and resource references to block SSRF attempts.
Detects server-side request forgery through monitoring of unexpected outbound connections.