CVE-2023-36756: 
vulnerability analysis and mitigation

Microsoft Exchange Server Remote Code Execution Vulnerability (CVE-2023-36756) was discovered and reported on June 27, 2023, affecting Microsoft Exchange Server installations. The vulnerability specifically impacts Exchange Server 2016 Cumulative Update 23 and Exchange Server 2019 Cumulative Updates 12 and 13 (Microsoft Update).

The vulnerability exists within the lack of protection against deserialization of the ApprovedApplicationCollection class. The specific flaw stems from improper validation of user-supplied data, which can result in deserialization of untrusted data. The vulnerability has been assigned a CVSS v3.1 base score of 8.0 HIGH with the vector string CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H (Zero Day Initiative).

An attacker who successfully exploits this vulnerability can execute arbitrary code in the context of SYSTEM on affected Microsoft Exchange Server installations. The vulnerability allows for complete compromise of system confidentiality, integrity, and availability (Zero Day Initiative).

Microsoft has released security updates to address this vulnerability. Organizations running affected versions of Exchange Server should apply the security update KB5030524 released on August 15, 2023 (Microsoft Update).