Exploiting Exchange PowerShell After ProxyNotShell: Part 2 - ApprovedApplicationCollection

This report details a demonstrated RCE chain against Microsoft Exchange that combines an Exchange deserialization issue (CVE-2023-36756) with an unpatched path traversal in the Windows utility extrac32.exe (ZDI-CAN-21499). It explains how allow/deny list shortcomings in PowerShell remoting deserialization (MultiValuedProperty) permitted abuse of classes such as ApprovedApplicationCollection, recounts prior related CVEs and patches (including CVE-2023-32031), and notes Microsoft chose not to patch the extrac32 issue despite the demonstrated impact.