A proof-of-concept exploit for a high-severity post-auth vulnerability in Microsoft Exchange Server 2016 and Exchange Server 2019 has been made public.
The flaw, tracked as CVE-2021-42321, is due to improper validation of cmdlet arguments and can be exploited remotely by an attacker to execute arbitrary code on vulnerable Exchange servers. Microsoft released a fix for the CVSS 8.8 severity flaw two weeks ago on November 2021 Patch Tuesday, and at the time advised all users of Exchange Server 2016/2019 (including Exchange Hybrid mode) to apply the update as soon as possible as it was known to have been exploited in limited attacks in the wild.
Security researchers have detected several threat actors conducting scans for Exchange servers vulnerable to CVE-2021-42321 exploits, and now that a PoC exploit has been publicly released for the CVE-2021-42321 vulnerability, exploitation of the flaw is likely to increase. Patching this vulnerability should be prioritized.
Microsoft Exchange servers have been extensively targeted by threat actors this year, in particular by exploiting the ProxyLogin and ProxyShell vulnerabilities. The flaws have commonly been exploited to deliver web shells, ransomware, and malware such as cryptominers, so all Exchange servers should be kept up to date and have patches applied as soon as possible after release.
The PoC CVE-2021-42321 exploit was released on GitHub by researcher Janggggg on November 21, who said on Twitter, “This PoC just pop mspaint.exe on the target, can be use to recognize the signature pattern of a successful attack event.”
After applying the update on all vulnerable Exchange servers, it is recommended to check the Events Log to see if the flaw has already been exploited. This is possible using the following PowerShell query.
Get-EventLog -LogName Application -Source “MSExchange Common” -EntryType Error | Where-Object { $_.Message -like “*BinaryFormatter.Deserialize*” }