Active scanning for Microsoft Exchange Proxyshell vulnerability
CERT NZ is aware of reports that attackers are scanning and attempting exploitation for Microsoft Exchange servers vulnerable to Proxyshell – a chain consisting of three previously patched vulnerabilities in Microsoft Exchange server.
The three vulnerabilities are:
2. CVE-2021-34523 – both had security updates released in April 2021, and
3. CVE-2021-31207, which had a security update released in May 2021.
Together this chain of vulnerabilities allows an unauthenticated attacker to remotely execute arbitrary commands as SYSTEM.
CERT NZ recommends that organisations immediately make sure their servers have the most recent security updates applied.
The following systems are affected by these vulnerabilities if they have not been updated to the May 2021 Cumulative Update package. (KB5003435):
- Microsoft Exchange Server 2013
- Microsoft Exchange Server 2016
- Microsoft Exchange Server 2019
What this means
Successful exploitation of these vulnerabilities would allow a remote attacker to execute commands on the Exchange server as SYSTEM. This allows for complete control of the Exchange server, and may allow access to other systems in the network.
What to look for
How to tell if you're at risk
Your organisation is at risk if you run a Microsoft Exchange server and haven’t updated to the May 2021 Cumulative Update package (KB5003435).
How to tell if you're affected
Check your Exchange Server’s IIS logs for access to the /autodiscover/autodiscover.json URI path, that contains parameters including /mapi/nspi/
What to do
CERT NZ recommends that you update your Microsoft Exchange server to the latest security release immediately. See the Microsoft support article below to determine the correct updates for your Exchange server.
If you require more information or further support, submit a report on our website or contact us on 0800 CERTNZ.
For media enquiries, email our media desk at firstname.lastname@example.org or call the MBIE media team on 027 442 2141.