Microsoft acknowledged an elevated privilege flaw in its Exchange Server could allow a remote attacker with a simple mailbox account to gain administrator privileges. The flaw exists due to a perfect storm of default settings in Microsoft Exchange Server and the mail server and calendaring server that run on Windows Server operating systems. Microsoft has not issued a patch to fix the bug, but there are workaround fixes. Microsoft did not respond to a request for comment from Threatpost on when the upcoming fix would be released; they have seen the vulnerability being exploited in the wild.
Source: https://threatpost.com/microsoft-confirms-serious-privexchange-vulnerability/141553/