⚠ Actively exploited in ransomware campaigns

This vulnerability is on the CISA Known Exploited Vulnerabilities list and has been used in known ransomware attacks. CISA required action: Apply updates per vendor instructions.. Due date: 2021-11-17.

CVE-2021-34473

CWE-918 — Server-Side Request Forgery (SSRF)22 documents14 sources

Severity

9.8CRITICAL

EPSS

94.2%

top 0.08%

CISA KEV

KEVRansomware

Added 2021-11-03

Due 2021-11-17

Exploit

Exploited in wild

Active exploitation observed

Affected products

Microsoft Microsoft Exchange Server 2013 Cumulative Update 23 Microsoft Microsoft Exchange Server 2016 Cumulative Update 19 Microsoft Microsoft Exchange Server 2016 Cumulative Update 20 +3 more

Timeline

PublishedJul 14

KEV addedNov 3

KEV dueNov 17

Latest updateJul 30

CISA Required Action: Apply updates per vendor instructions.

Description

Microsoft Exchange Server Remote Code Execution Vulnerability

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:NExploitability: 3.9 | Impact: 5.2

Affected Packages6 packages

▶CVEListV5microsoft/microsoft_exchange_server_2019_cumulative_update_815.02.0 — 15.02.0792.013

▶CVEListV5microsoft/microsoft_exchange_server_2019_cumulative_update_915.02.0 — 15.02.0858.010

▶CVEListV5microsoft/microsoft_exchange_server_2013_cumulative_update_2315.00.0 — 15.00.1497.015

▶CVEListV5microsoft/microsoft_exchange_server_2016_cumulative_update_1915.01.0 — 15.01.2176.012

▶CVEListV5microsoft/microsoft_exchange_server_2016_cumulative_update_2015.01.0 — 15.01.2242.008

Patches

Patch: portal.msrc.microsoft.com ↗Patch: portal.msrc.microsoft.com ↗

🔴Vulnerability Details

GHSA

GHSA-fgq9-p33g-xcfc: Microsoft Exchange Server Remote Code Execution Vulnerability This CVE ID is unique from CVE-2021-31196, CVE-2021-31206↗2022-05-24

▶

CVEList

Microsoft Exchange Server Remote Code Execution Vulnerability↗2021-07-14

▶

VulnCheck

Microsoft Exchange Server Remote Code Execution Vulnerability↗2021

▶

💥Exploits & PoCs

Nuclei

Exchange Server - Remote Code Execution

▶

Metasploit

Microsoft Exchange ProxyShell RCE↗

▶

🔍Detection Rules

Suricata

ET EXPLOIT Possible Microsoft Exchange Mailbox Enumeration Inbound (CVE-2021-34473)↗2022-03-29

▶

Suricata

ET EXPLOIT Possible Microsoft Exchange RCE Inbound M3 (CVE-2021-34473)↗2022-03-29

▶

Suricata

ET EXPLOIT Possible Microsoft Exchange RCE Inbound M2 (CVE-2021-34473)↗2021-08-12

▶

Suricata

ET EXPLOIT Possible Microsoft Exchange RCE with Python PSRP Client UA Inbound (CVE-2021-34473)↗2021-08-12

▶

Suricata

ET EXPLOIT Possible Microsoft Exchange RCE Inbound M1 (CVE-2021-34473)↗2021-08-09

▶

📋Vendor Advisories

CISA

Microsoft Exchange Server Remote Code Execution Vulnerability↗2021-11-03

▶

Microsoft

Microsoft Exchange Server Remote Code Execution Vulnerability↗2021-07-13

▶

🕵️Threat Intelligence

Bleepingcomputer

UK govt links 2021 Electoral Commission breach to Exchange server↗2024-07-30

▶

Unit42

Manic Menagerie 2.0: The Evolution of a Highly Motivated Threat Actor↗2023-06-28

▶

Unit42

Top CVEs to Patch: Insights from the 2022 Unit 42 Network Threat Trends Research Report↗2022-07-21

▶

Elastic

Detection and response for the actively exploited ProxyShell vulnerabilities — Elastic Security Labs↗2022-06-02

▶

Unit42

Network Security Trends: August-October 2021↗2021-12-21

▶