This month, Microsoft released security patches for multiple zero-day exploits targeting on-premise Exchange servers. CVE-2021-26855 allows a malicious attacker to bypass authentication and impersonate users. Not only does this vulnerability allow an attacker to compromise email accounts, but the ability to install malware for persistent access or ransomware is also available. Microsoft has labeled this as a critical vulnerability that must be patched immediately.
As of this week, full proof-of-concept exploits are popping up online. This allows the exploit to become more widely exploited by malicious actors with little to no technical expertise. Check out the video below to see just how easy it is to gain a high-privilege shell with the public proof-of-concept code. It is estimated that nearly 80,000 Exchange servers exposed to the internet are still vulnerable to this exploit. If your organization is utilizing Microsoft’s on-premise Exchange service, it is essential that it be patched right away to avoid compromise.
What to do?
Microsoft has released their Exchange On-premises Mitigation Tool (EOMT) to address CVE-2021-26855 which is the most effective way to protect and mitigate exchange servers prior to patching. If you need to check if your exchange servers are vulnerable, use this handy script from Microsoft which is formerly known as the HAFNIUM script. The United States CISA is recommending all organizations use this script to determine if their exchange servers have been compromised. Stay updated with alerts from US-CERT.