Security researcher who goes online as ‘Janggggg’ has published a proof-of-concept code for the actively exploited Microsoft Exchange post-auth RCE vulnerability.
“This PoC just pop mspaint.exe on the target, can be use to recognize the signature pattern of a successful attack event,” the researcher wrote in a tweet.
The said bug (CVE-2021-42321) is an input validation error that exists due to insufficient validation of cmdlet arguments. A remote user can run a specially crafted cmdlet and execute arbitrary commands on the system. Microsoft patched the flaw earlier this month as part of its November 2021 Patch Tuesday.
“We are aware of limited targeted attacks in the wild using one of vulnerabilities (CVE-2021-42321), which is a post-authentication vulnerability in Exchange 2016 and 2019,” Microsoft warned, adding that the bug affects on-premises Microsoft Exchange Server, including servers used in Exchange Hybrid mode.
"Our recommendation is to install these updates immediately to protect your environment," Microsoft urged.
Threat actors are already targeting this bug, security researchers warn.
“Just caught somebody in the wild trying to exploit CVE-2021-42321 to execute code on MailPot, by chaining it with ProxyShell (no, I don't know why either - it doesn't work),” security researcher Kevin Beaumont tweeted.
Last week, cybersecurity agencies from the U.S., the U.K., and Australia warned of ongoing attacks in which Iranian state-sponsored hackers are exploiting Fortinet and Microsoft Exchange vulnerabilities to compromise networks of a wide range of targets across multiple critical infrastructure sectors.