Multiple Zero-Days in Microsoft Exchange Server Actively Exploited in the Wild

Microsoft has released patches for Exchange Server. The advisory addresses the following vulnerabilities – CVE-2021-26855, CVE-2021-26857, CVE-2021-26858, and CVE-2021-27065. Microsoft has also reported that zero-day exploits were being used to attack Microsoft Exchange Server in the wild. Microsoft Threat Intelligence Center (MTIC) claims that this attack was instigated by China-based APT group HAFNIUM. It is a group that primarily targets different industries based in the United States. The attack is initiated with an untrusted connection to an Exchange Server. Though this can be mitigated to some extent by restricting untrusted connections to the server or running the Exchange Server through VPN. Simplify mitigation with a patch management software.

Vulnerability Details

CVE-2021-26855: This is a server-side request forgery vulnerability that allows an attacker to send an arbitrary HTTP request and authenticate as the Exchange Server.

CVE-2021-26857: This vulnerability can lead to remote code execution due to an insecure deserialization vulnerability present in the Unified Messaging Service.

CVE-2021-26858 and CVE-2021-27065: Both vulnerabilities allow an authenticated attacker to write an arbitrary file to any path on the system.

Impact

Successful exploitation of the Exchange Server could result in remote code execution and compromise of the system.

Affected Platforms

The following have been affected:

• Exchange Server 2013
• Exchange Server 2016
• Exchange Server 2019

Solution

Microsoft has released patches for the vulnerabilities. It is recommended that the affected systems should be patched as soon as possible. SanerNow can detect these vulnerabilities.