|CVSS SCORE||8.1, (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N)|
This vulnerability allows remote attackers to impersonate arbitrary users on vulnerable installations of Microsoft Exchange Server. Authentication is required to exploit this vulnerability.
The specific flaw exists within the use of NTLM authentication in Exchange Server. NTLM responses produced by the server can be reflected back to the server to authenticate arbitrary EWS requests. An attacker can leverage this vulnerability to disclose and modify the data of any user of the Exchange server.
Microsoft has issued an update to correct this vulnerability. More details can be found at: