Four Zero-Day Flaws Disclosed in Microsoft Exchange
Researchers from Trend Micro's Zero Day Initiative (ZDI) have disclosed four zero-day vulnerabilities in Microsoft Exchange. These flaws can be exploited remotely by an authenticated attacker to execute arbitrary code or access sensitive information on vulnerable installations. ZDI reported the vulnerabilities to Microsoft in September 2023, but the company has not yet fixed them. The disclosed vulnerabilities include a deserialization flaw, as well as server-side request forgery vulnerabilities that allow for information disclosure. The vulnerabilities were discovered by Piotr Bazydlo of Trend Micro Zero Day Initiative.