23 November 2021

PoC code released for Microsoft Exchange RCE vulnerability


PoC code released for Microsoft Exchange RCE vulnerability

Security researcher who goes online as ‘Janggggg’ has published a proof-of-concept code for the actively exploited Microsoft Exchange post-auth RCE vulnerability.

“This PoC just pop mspaint.exe on the target, can be use to recognize the signature pattern of a successful attack event,” the researcher wrote in a tweet.

The said bug (CVE-2021-42321) is an input validation error that exists due to insufficient validation of cmdlet arguments. A remote user can run a specially crafted cmdlet and execute arbitrary commands on the system. Microsoft patched the flaw earlier this month as part of its November 2021 Patch Tuesday.

“We are aware of limited targeted attacks in the wild using one of vulnerabilities (CVE-2021-42321), which is a post-authentication vulnerability in Exchange 2016 and 2019,” Microsoft warned, adding that the bug affects on-premises Microsoft Exchange Server, including servers used in Exchange Hybrid mode.

"Our recommendation is to install these updates immediately to protect your environment," Microsoft urged.

Threat actors are already targeting this bug, security researchers warn.

“Just caught somebody in the wild trying to exploit CVE-2021-42321 to execute code on MailPot, by chaining it with ProxyShell (no, I don't know why either - it doesn't work),” security researcher Kevin Beaumont tweeted.

Last week, cybersecurity agencies from the U.S., the U.K., and Australia warned of ongoing attacks in which Iranian state-sponsored hackers are exploiting Fortinet and Microsoft Exchange vulnerabilities to compromise networks of a wide range of targets across multiple critical infrastructure sectors.

Back to the list

Latest Posts

Amid Pegasus scandal, Israel bans cyber software sales to 65 countries

Amid Pegasus scandal, Israel bans cyber software sales to 65 countries

Dropped countries include such countries as Morocco, Mexico, Saudi Arabia, or the UAE.
26 November 2021
CronRAT: New Linux malware that hides behind February 31 to stay undetected

CronRAT: New Linux malware that hides behind February 31 to stay undetected

The malware hides in the Linux calendar system and enables server-side Magecart data theft which bypasses browser-based security solutions.
26 November 2021
New malware campaign targets crypto, NFT and DeFi communities via Discord

New malware campaign targets crypto, NFT and DeFi communities via Discord

The Babadeda crypter is able to bypass signature-based antivirus solutions and was previously observed in malicious campaigns distributing RATs, and LockBit ransomware.
26 November 2021