A Vietnamese outfit called GTSC appears to have identified the holes, explaining in an advisory how a pair of security bugs can be exploited together to achieve remote code execution on Exchange installations.
The biz reported its findings to the Zero Day Initiative, which has assigned the ID ZDI-CAN-18333 to one flaw rated 8.8 on the ten-point Common Vulnerability Scoring System (CVSS) severity scale. The second flaw, ZDI-CAN-18802, is rated 6.3 out of 10.
Details of the vulnerabilities are scanty, with GTSC’s post detailing its observations of webshells with Chinese characteristics being dropped onto Exchange servers compromised via these two vulnerabilities. Each webshell “injects malicious DLLs into the memory, drops suspicious files on the attacked servers, and executes these files through the Windows Management Instrumentation Command line (WMIC)."
At this stage a good ending to this story is hard to envision, because while GTSC has outlined mitigations in its post, Microsoft is yet to issue a fix. History tells me that even once Microsoft publishes a patch, many thousands of Exchange users will not implement it promptly.