Active Exploitation of Vulnerabilities in Microsoft Exchange Server

Published on 03 Mar 2021

Updated on 14 Apr 2021

Microsoft has released security updates to address multiple vulnerabilities affecting Microsoft Exchange Server 2010 (Service Pack 3), Exchange Server 2013, Exchange Server 2016 and Exchange Server 2019.

These vulnerabilities are actively being exploited in limited and targeted attacks:

  • CVE-2021-26855 – A server-side request forgery (SSRF) vulnerability that could allow an attacker to use specially crafted web requests and authenticate as the Exchange Server
  • CVE-2021-26857 – An insecure deserialisation vulnerability in the Unified Messaging service that could allow an attacker to run code with escalated privileges on the Exchange Server
  • CVE-2021-26858 and CVE-2021-27065 – Post-authentication arbitrary file-write vulnerabilities that could allow an authenticated attacker to upload files onto the server

Administrators and users are advised to install the latest (March 2021) Exchange Server security updates immediately and consider scanning their Exchange log files for indicators of compromise (refer to the link 1)

  • Exchange Server 2010 (RU 31 for Service Pack 3)
  • Exchange Server 2013 (CU 23)
  • Exchange Server 2016 (CU 19, CU 18)
  • Exchange Server 2019 (CU 8, CU 7)

More information is available here:
https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/
https://blogs.microsoft.com/on-the-issues/2021/03/02/new-nation-state-cyberattacks/
https://techcommunity.microsoft.com/t5/exchange-team-blog/released-march-2021-exchange-server-security-updates/ba-p/2175901
https://www.volexity.com/blog/2021/03/02/active-exploitation-of-microsoft-exchange-zero-day-vulnerabilities/