HomeWinBuzzer NewsMicrosoft Exchange “PrivExchange” Vulnerability Gives Attackers Admin Access

Microsoft Exchange “PrivExchange” Vulnerability Gives Attackers Admin Access

A new vulnerability has been described in Microsoft Exchange. Called PrivExchange, it allows bad actors to gain privileged access from a basic email account.


According to new information from a Dutch security researcher, 2013 and newer versions are vulnerable to a new zero-day. Called “PrivExchange”, the flaw gives attackers the ability to remotely enter the Domain Controller admin privileges with a simple Exchange mailbox user account.

Dirk-jan Mollema, a security researcher for Fox-IT, says the zero-day is several vulnerabilities working together. He went public with the problem last week, describing three default settings that can be manipulated to increase access.

Through a hacked lowly Exchange email account, a bad actor can elevate account access to admin level. The Domain Controller is a secure server that handles authentication requests on Exchange.

Mollema describes the following three vulnerabilities working in unison:

  • The default Exchange Web Services (EWS) feature gives attackers the ability to manipulate servers, allowing them to authenticate a bad actor through a hacked email account.
  • To achieve this, the attacker uses NTLM hashes sent through HTTP, while the server will also not set Sign and Seal flags on the NTLM operation. Essentially, this means the NTLM authentication is left open to attack. Bad actors can then obtain the hash.
  • Microsoft Exchange servers allow access to sensitive operations by default. Typically, only company admins have access to servers and the higher privileges, normal email account holders do not. However, with elevated access, the attackers can gain access to the Domain Controller and grant themselves access to sensitive material. Furthermore, the attack will allow the ability to create more backdoor accounts.

Solving Problems

PrivExchange works on Microsoft Exchange and Windows Server Domain Controllers from 2013 right up to fully patched versions. Microsoft has yet to officially discuss this vulnerability, so no patches are available yet. That said, Mollema has offered some workarounds for system admins to avoid being attacked.

Luke Jones
Luke Jones
Luke has been writing about all things tech for more than five years. He is following Microsoft closely to bring you the latest news about Windows, Office, Azure, Skype, HoloLens and all the rest of their products.

Recent News