Security Researcher Released PoC Exploit for High-severity Vulnerability in Microsoft Exchange
The Microsoft Exchange Vulnerability Could Be Used by Threat Actors to Perform Arbitrary Code on Unprotected Systems.
Last week, security specialist Nguyen Jang has released technical information and proof-of-concept exploit (PoC) code for the severe flaw CVE-2021-28482 in Microsoft Exchange Server that could be used by hackers to perform code on vulnerable systems.
The flaw is one of the four critical and high severity vulnerabilities in the Microsoft Exchange Server (CVE-2021-28480, CVE-2021-28481, CVE-2021-28482, CVE-2021-28483), reported by the U.S. National Security Agency (NSA) to Microsoft.
Even if the CVE-2021-28482 vulnerability is not as severe as the others, all these flaws are remote code execution (RCE) that could let threat actors compromise unprotected machines therefore Microsoft advises its users to install the most recent updates.
As stated by the U.S. National Security Agency (NSA), the dangerous vulnerabilities were recently brought to light by its experts and immediately reported to Microsoft.
Security specialist Nguyen Jang, who released before a PoC exploit for ProxyLogon vulnerabilities, published the PoC exploit code for the high-severity vulnerability in Microsoft Exchange Server on April 26.
This week, the researcher published on GitHub demo exploit for CVE-2021-28482 written in Python.
Will Dormann, a CERT/CC vulnerability specialist, successfully evaluated the PoC exploit and explained it could permit to hack into vulnerable MS Exchange installs.
Can confirm.
At least with my testing Python version, I had to tweak just slightly to account for redirects. But if anybody STILL doesn’t have April’s Exchange patches installed, if you can imagine an AUTHENTICATED attacker is a possibility, then assume CVE-2021-28482 was used. https://t.co/BSjDBDEEBV pic.twitter.com/commTvHR9T— Will Dormann (@wdormann) May 2, 2021
Because the PoC hacking tool was considered to be a threat to Microsoft’s clients using the Microsoft Exchange solution, not long after the publication GitHub took it down.
Nguyen Jang stated that he has published the PoC code as a wake-up call on the latest flow of attacks and gave the opportunity to his colleagues to study the code used in the hacks.
The vulnerability analyst told BleepingComputer that even if this bug is not as serious as ProxyLogon, since it does not allow en-masse scanning or exploitation, a real-life scenario for leveraging it exists:
But, any Exchange instance where a single user has a password that has been leaked, or any organization that has a single malicious or even just compromised insider is at risk if they have not installed April’s Exchange update.
The public availability of the PoC exploit constitutes a significant risk to organizations operating unpatched on-premise Microsoft Exchange machines therefore companies are urged to install the newest patches for Exchange Server.