A Vietnamese security researcher has released a fully working proof-of concept code (PoC) for a set of vulnerabilities affecting Microsoft Exchange Server collectively called “ProxyLogon” that have been actively exploited by threat actors since the beginning of this year. The technical details of the exploitation chain have been provided in a blog post on Medium.

Several security researchers have already confirmed the validity of the new PoC. It appears that the exploit code combines the CVE-2021–26855 and CVE-2021–27065 vulnerabilities to authenticate on an Exchange server and run malicious code.

“Hafnium Exchange RCE Exploit. I've confirmed there is a public PoC floating around for the full RCE exploit chain. It's has a couple bugs but with some fixes I was able to get shell on my test box,” Marcus Hutchins, a security researcher at CryptoLogic wrote in a tweet.

In an interview with The Record Hutchins said that the PoC “is not usable out of the box, but can be easily adjusted to obtain what security researchers call a “remote code execution” state.”

Last week, Microsoft released the emergency security updates for its Exchange Server enterprise email product to patch four zero-day vulnerabilities (CVE-2021-26855, CVE-2021-26857, CVE-2021-26858, and CVE-2021-27065) that have been actively exploited in real-world attacks. At the time, the tech giant attributed the attacks to a China-linked threat actor called Hafnium, which is focused on a number of industry sectors in the US, including infectious disease researchers, law firms, higher education institutions, defense contractors, policy think tanks and NGOs, seeking to steal information.

Following the Microsoft’s disclosure there has been a spike in attacks exploiting the vulnerabilities in MS Exchange. Estimates suggest that at least 60,000 organizations around the globe may have been compromised in the Microsoft Exchange hack.

According to the cybersecurity firm ESET, at least 10 state-sponsored hacking groups focused on cyber-espionage have exploited the flaws in the Exchange Server software in recent days in operations around the world, with many of them known to have ties with China. These include Winnti Group, Tonto Team (aka CactusPete), Mikroceen APT, LuckyMouse, Tick, Calypso, and others.