IRONSMITHINTEL
HIGHCVSS8.8
|
Actively Exploited
|CISA KEV|CVE-2020-0688|Auth: low — authenticated user|Reboot: required|Manual only

KB4536987: Windows Server Security Update (February 2020)

Microsoft Exchange Server Validation Key fails to properly create unique keys at install time, allowing for remote code execution.

Published Feb 11, 2020 · Updated May 16, 2026
Why patchRisk explained in plain English
Worst-case scenarioIf unpatched

A remote attacker, with a low-privilege account, can achieve full data confidentiality loss, arbitrary modification of data, complete denial of service or system unavailability. CISA has confirmed use of this vulnerability in known ransomware campaigns — treat as high priority for remediation. Federal agencies are required to remediate by 2022-05-03 under CISA BOD 22-01.

How the attack worksNo clicks needed

This is a Improper Authentication (CWE-287) vulnerability in Microsoft Exchange Server. A remote code execution vulnerability exists in Microsoft Exchange software when the software fails to properly handle objects in memory, aka 'Microsoft Exchange Memory Corruption Vulnerability'. Exploitation requires remote network access, low attack complexity, a low-privilege authenticated account, and no user interaction required.

Am I affected?Quick check

Probably yes if any of these apply:

Exchange Administrators
Messaging Team
IT Security
Running exchange server: 2010, 2013, 2016, 2019
Fixed inKB4536987, KB4536988, KB4536989 (applies to 6 product versions)
Real-world incidentsWhat we've seen

Used in known ransomware campaigns. Threat-research write-up: http://packetstormsecurity.com/files/156592/Microsoft-Exchange-2019-15.2.221.12-Remote-Code-Execution.html

How to patch

Manual download

For air-gapped servers or out-of-band deployment. Microsoft Update Catalog returns every OS-version variant of this update.

↗ Microsoft Update CatalogKB4536987

Manual remediation steps

Apply the Microsoft Security Update

Microsoft has released an official security update that fixes this vulnerability.

Required KB Updates

    1
    KB4536987 — https://support.microsoft.com/help/4536987
    1
    KB4536988 — https://support.microsoft.com/help/4536988
    1
    KB4536989 — https://support.microsoft.com/help/4536989

Supersedes: KB4509410, KB4523171

Affected Products

    1
    Microsoft Exchange Server 2010 Service Pack 3 Update Rollup 30
    1
    Microsoft Exchange Server 2013 Cumulative Update 23
    1
    Microsoft Exchange Server 2016 Cumulative Update 14
    1
    Microsoft Exchange Server 2016 Cumulative Update 15
    1
    Microsoft Exchange Server 2019 Cumulative Update 3
    1
    Microsoft Exchange Server 2019 Cumulative Update 4

Installation Methods

Windows Update (recommended)

1
Settings → Windows Update → Check for updates
2
The security update is offered if your system is in scope
3
Restart when prompted (may or may not be required for this update)

Microsoft Update Catalog (manual download)

1
Open https://catalog.update.microsoft.com
2
Search for KB4536987
3
Download the package matching your OS architecture and Windows build
4
Run the .msu installer with administrator privileges
5
Restart when prompted

WSUS / SCCM / Intune

Approve KB4536987 for the affected products in your update management console.

Microsoft Download Center Links

    1
    https://www.microsoft.com/download/details.aspx?familyid=4d072d3e-153e-4a5a-859e-ad054fe24107
    1
    https://www.microsoft.com/download/details.aspx?familyid=5ae7346b-f59c-415d-b576-e50f6b493a23
    1
    https://www.microsoft.com/download/details.aspx?familyid=6f5e2305-f1dc-4ce9-97c5-4d6fc1b87a24
    1
    https://www.microsoft.com/download/details.aspx?familyid=a4bd9a4e-56f4-42c2-b0d7-fffe52c5dbe5
    1
    https://www.microsoft.com/download/details.aspx?familyid=ddba43d0-f66d-410d-a421-bb26e45d64b7
    1
    (…1 more)

Verification

Confirm the update is installed:

Get-HotFix | Where-Object { $_.HotFixID -in @('KB4536987','KB4536988','KB4536989') }

References

    1
    Microsoft Security Response Center: https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0688
    1
    KB article: https://support.microsoft.com/help/4536987
    1
    KB article: https://support.microsoft.com/help/4536988
    1
    KB article: https://support.microsoft.com/help/4536989
    1
    NVD entry: https://nvd.nist.gov/vuln/detail/CVE-2020-0688
    1
    CISA KEV: https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2020-0688

Discovery Credit

Anonymous working with Trend Micro's Zero Day Initiative

PowerShell automationComing soon

No tested PowerShell script for this entry yet. We’re prioritising automation based on user demand.

References

CVE-2020-0688MSRC AdvisoryNVDKBKB4536987