Microsoft released out-of-band updates today that fix seven critical vulnerabilities in Microsoft Exchange Server.
According to the Microsoft Security Response Center, four of these seven vulnerabilities are used to attack on-premises versions of Microsoft Exchange Server in limited and targeted attacks.
Today Microsoft releases several security updates for Microsoft Exchange Server to address the following vulnerabilities:
|CVE-ID||CVSS:3.0 BaseScore||Exploited in the wild||Description|
|CVE-2021-26412||9.1||No||Remote Code Execution Vulnerability|
|CVE-2021-26854||6.6||No||Remote Code Execution Vulnerability|
|CVE-2021-26855||9.1||Yes||Server-side request forgery (SSRF) vulnerability in Exchange|
|CVE-2021-26857||7.8||Yes||Insecure deserialization vulnerability in the Unified Messaging service.|
|CVE-2021-26858||7.8||Yes||post-authentication arbitrary file write vulnerability in Exchange.|
|CVE-2021-27065||7.8||Yes||post-authentication arbitrary file write vulnerability in Exchange.|
|CVE-2021-27078||9.1||No||Remote Code Execution Vulnerability|
Exploited in the wild
Microsoft detects these 0-day exploits in the wild. In the attacks observed, the attackers used these vulnerabilities to access on-premises Exchange servers, gained access to email accounts as well as installing additional malware to facilitate long-term access to victim environments.
It is believed that the attack was from a hacker group called “HAFNIUM”.
HAFNIUM primarily targets entities in the United States across a number of industry sectors, including infectious disease researchers, law firms, higher education institutions, defense contractors, policy think tanks, and NGOs.
Microsoft has released IOCs and detection guidance to help customers detect possible compromises.
- Microsoft Exchange Server 2013
- Microsoft Exchange Server 2016
- Microsoft Exchange Server 2019
Note: Microsoft Exchange Server 2010 is also being updated for Defense in Depth purposes.
Qualys customers can scan their network with QID 50107 to detect vulnerable assets.
Kindly continue to follow Qualys Threat Protection for more coverage on the latest vulnerabilities.