Skip to content


Switch branches/tags

Latest commit


Git stats


Failed to load latest commit information.
Latest commit message
Commit time

Identify Exchange Servers vulnerable to CVE-2020-0688

CVE-2020-0688 is a critical vulnerability in Microsoft Exchange due to use of static keys. Although exploitation requires valid credentials (at an email user level) and the risk of mass-exploitation is low, this vulnerability might be very useful in targeted attacks as it leads to SYSTEM level RCE.

More information:

Notes on false negatives

There are several sources of known false negatives (vulnerable Exchange servers that will be missed by this script):

  1. Potential Exchange servers are prescreened by identifying hosts that have both port 25 and 443 open. If there are any setups that block one of these, they will get missed.

  2. zmap is optimized for speed and scalability at the expense of precision. Typically multiple consecutive runs of zmap provide slightly different results. As a result, multiple runs of this script will show slightly different results as well.

    Not sure whether this is caused purely by network congestion or by buggy code. Pull-request with patches/workarounds are certainly welcome!

  3. We're not trying to be sneaky here, so some firewalls might simply block us as a robot.

  4. Since we're not doing any fancy fingerprinting and only rely on the version that Exchange server reports itself, we are limited to first three fields in version number.

    For example, latest cumulative update for Exchange Server 2019 is 15.2.529.5 which has been released in December and is vulnerable. The latest update that contains the patch is 15.2.529.8. Both of these self-report their version as 15.2.529, so the script will assume that the server is patched even if does not have the latest patch installed and is vulnerable.

    In practice though it seems that there are either Exchange admins that update their systems as soon as patches come out or those that live by "if it works, don't touch it" principle. There's no in between.


zmap, Python >= 3.5, modules:

  • dnspython
  • pyOpenSSL
  • requests

You can install them globally with:

$ sudo dnf install zmap python3-gevent python3-dns python3-pyOpenSSL


$ sudo apt install zmap python3-gevent python3-dns python3-openssl

Python modules can be installed locally as well, through virtualenv:

$ virtualenv -p python3 CVE-2020-0688
$ . ./CVE-2020-0688/bin/activate
$ pip install -r ./requirements.txt


For basic scanning all you need is a file with IPs/subnets (in CIDR format) to scan:

$ ./ ~/my_networks.txt output.csv

Output will be written in a CSV format with following columns:

IP Exchange Version Server Name PTR Common Name (from TLS cert)

Optionally, you can ask to output info on all Exchange servers found:

$ ./ -f ~/my_networks.txt output.csv

In which case there will be one more column to indicate whether server is vulnerable or not:

IP Exchange Version Vulnerable? Server Name PTR Common Name (from TLS cert)

You can also provide a file with blacklisted IPs/subnets (option -b), change the number of parallel tasks (-p) or length of the timeouts (-t):

$ # ./ -h
usage: [-h] [-b BLACKLIST] [-f] [-p PARALLEL] [-t TIMEOUT]
               input output

Identify Exchange servers vulnerable to CVE-2020-0688.

positional arguments:
  input                 Input file, each line contains one IP/subnet
  output                File to save the results (in CSV format)

optional arguments:
  -h, --help            show this help message and exit
  -b BLACKLIST, --blacklist BLACKLIST
                        File containing IPs/subnets to avoid
  -f, --full            Don't filter seemingly up-to-date Exchange servers
  -p PARALLEL, --parallel PARALLEL
                        How many requests to send in parallel (default: 1000)
  -t TIMEOUT, --timeout TIMEOUT
                        Timeout (seconds) to use for network connections
                        (default: 5)


Vulnerability scanner for CVE-2020-0688






No releases published


No packages published