Versions (4)
Version DetailsCurrent
Rev: 2 • Feb 26, 2020, 12:00 PMET WEB_SPECIFIC_APPS Possible Attempted Microsoft Exchange RCE (CVE-2020-0688)
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS Possible Attempted Microsoft Exchange RCE (CVE-2020-0688)"; flow:established,to_server; http.method; content:"GET"; http.uri; bsize:>600; content:"/ecp/"; startswith; content:"__VIEWSTATEGENERATOR="; distance:0; content:"__VIEWSTATE="; distance:0; reference:url,www.thezdi.com/blog/2020/2/24/cve-2020-0688-remote-code-execution-on-microsoft-exchange-server-through-fixed-cryptographic-keyscve; reference:cve,2020-0688; reference:url,www.trustedsec.com/blog/detecting-cve-20200688-remote-code-execution-vulnerability-on-microsoft-exchange-server/; classtype:attempted-admin; sid:2029540; rev:2; metadata:affected_product Web_Server_Applications, attack_target SMTP_Server, created_at 2020_02_26, cve CVE_2020_0688, deployment Perimeter, deployment SSLDecrypt, performance_impact Low, confidence Medium, signature_severity Major, tag CISA_KEV, updated_at 2020_03_02;)
Feb 26, 2020, 12:00 PM
Mar 2, 2020, 12:00 PM
Sep 21, 2024, 3:00 AM
May 30, 2025, 12:04 AM
rules/emerging-web_specific_apps.rules