Microsoft Fixes Exchange Server Zero-Days Exploited in Active Attacks


Microsoft released out-of-band updates today that fix seven critical vulnerabilities in Microsoft Exchange Server.

According to the Microsoft Security Response Center, four of these seven vulnerabilities are used to attack on-premises versions of Microsoft Exchange Server in limited and targeted attacks.


Today Microsoft releases several security updates for Microsoft Exchange Server to address the following vulnerabilities:

CVE-ID CVSS:3.0 BaseScore Exploited in the wild Description
CVE-2021-26412 9.1 No Remote Code Execution Vulnerability
CVE-2021-26854 6.6 No Remote Code Execution Vulnerability
CVE-2021-26855 9.1 Yes Server-side request forgery (SSRF) vulnerability in Exchange
CVE-2021-26857 7.8 Yes Insecure deserialization vulnerability in the Unified Messaging service.
CVE-2021-26858 7.8 Yes post-authentication arbitrary file write vulnerability in Exchange.
CVE-2021-27065 7.8 Yes post-authentication arbitrary file write vulnerability in Exchange.
CVE-2021-27078 9.1 No Remote Code Execution Vulnerability
Exploited in the wild

Microsoft detects these 0-day exploits in the wild.  In the attacks observed, the attackers used these vulnerabilities to access on-premises Exchange servers, gained access to email accounts as well as installing additional malware to facilitate long-term access to victim environments.

It is believed that the attack was from a hacker group called “HAFNIUM”.

HAFNIUM primarily targets entities in the United States across a number of industry sectors, including infectious disease researchers, law firms, higher education institutions, defense contractors, policy think tanks, and NGOs.

Microsoft has released IOCs and detection guidance to help customers detect possible compromises.


Affected products
  • Microsoft Exchange Server 2013
  • Microsoft Exchange Server 2016
  • Microsoft Exchange Server 2019

Note: Microsoft Exchange Server 2010 is also being updated for Defense in Depth purposes.


Qualys customers can scan their network with QID 50107 to detect vulnerable assets.

Kindly continue to follow Qualys Threat Protection for more coverage on the latest vulnerabilities.


  1. References

Leave a Reply

Your email address will not be published. Required fields are marked *