PRUEBA AHORA
Vulnerability

4 Microsoft Exchange Zero-day Flaws Patched

2 min. read
03/03/2021
By Nils Macharis
Microsoft-Exchange-Server-Vulnerability

Microsoft has released emergency out-of-band security updates to plug 7 Exchange Server vulnerabilities, 4 of which are Zero-day flaws being actively exploited in the wild.

The four zero-day flaws (CVE-2021-26857, CVE-2021-26858, CVE-2021-26855, and CVE-2021-27065) are actively being exploited by attackers to plunder e-mail communications from organizations that have Microsoft Exchange Server software installations within their network.

Microsoft stated that an unknown Chinese group named ‘Hafnium’ is using these flaws since they are known for their attacks against US-based companies.

Actively Exploited Zero-day Vulnerabilities

CVE-2021-26855

This vulnerability is a Server-Side Request Forgery (SSRF). This means that an attacker with no access at all could exploit this flaw because the on-premises Exchange Server runs a command that it normally shouldn’t be permitted to run.

CVE-2021-26857

CVE-2021-26857 is a Remote Code Execution vulnerability (also known as insecure deserialization) that can be found in the Exchange Unified Messaging Service. It’s part of a larger attack chain (the four zero-day vulnerabilities) in which this RCE vulnerability would give the attacker arbitrary code execution privileges.

CVE-2021-26858

This is one of the two arbitrary file-write vulnerabilities present in Microsoft Exchange. Because we are talking about a chained attack, the attackers could use CVE-2021-26855 to obtain admin credentials in order to arbitrarily write to every file on the vulnerable Exchange server.

CVE-2021-27065

This is the second arbitrary file. Bot (CVE-2021-26858 & CVE-2021-27065) vulnerabilities need authentication before they could be exploited, that’s where the SSRF vulnerability comes into play.

Exchange Server Vulnerability Patch

Microsoft just released four fixes for this vulnerability which can be found on our April 2021 Patch Tuesday blog.