Rewterz Threat Alert – Mass Scanning Detected Targeting Unpatched Microsoft Exchange servers
November 24, 2021Rewterz Threat Alert – XLoader Malware – Active IOCs
November 24, 2021Rewterz Threat Alert – Mass Scanning Detected Targeting Unpatched Microsoft Exchange servers
November 24, 2021Rewterz Threat Alert – XLoader Malware – Active IOCs
November 24, 2021Severity
High
Analysis Summary
A security researcher has recently released the PoC (proof-of-concept) of CVE-2021-42321, Exchange Post-Authentication RCE affecting Microsoft Exchange servers.
Threat actors are targeting unpatched environments and Microsoft is urging Exchange admins to patch the bug exploited in the wild.
“We are aware of limited targeted attacks in the wild using one of vulnerabilities (CVE-2021-42321), which is a post-authentication vulnerability in Exchange 2016 and 2019. Our recommendation is to install these updates immediately to protect your environment.” read the announcement published by Microsoft. “These vulnerabilities affect on-premises Microsoft Exchange Server, including servers used by customers in Exchange Hybrid mode. Exchange Online customers are already protected and do not need to take any action.”
On the other hand, a new PoC for Zero-Day vulnerability has been published by security researcher Abdelhamid Naceri.
“This variant was discovered during the analysis of CVE-2021-41379 patch. the bug was not fixed correctly, however, instead of dropping the bypass,” explains Naceri in his writeup “InstallerFileTakeOver.”
He released the PoC because of frustration with Microsoft’s new bug bounty program. The PoC is being utilized by hackers and threat actors to gain system privileges to vulnerable systems.
Impact
- Remote Code Execution
- Privilege Escalation
Affected Vendors
Microsoft
Affected Products
- All supported versions of Windows 10 11 and Windows Server 2022
Remediation
It is advised to keep the Exchange Servers up-to date with the latest security patches.
Updates for CVE-2021-42321 can be found below.
Furthermore, users are advised to patch the previously exploited CVE-2021-41379 vulnerability from Microsoft updates.