Threat Alert

by IthacaLabs™

THREAT LEVEL/Critical 03/03/2021

Four New Zero Day Vulnerabilities in Microsoft Exchange Servers exploited in the wild

Threat Level Description

Threat Level: Critical – An attack is expected imminently. Maximum protective security measures to meet specific threats and to minimize vulnerability and risk. Critical may also be used if a terrorist attack is expected seeking to destroy, incapacitate, or exploit critical infrastructures in order to threaten national security, cause mass casualties, weaken the economy, and damage public morale and confidence.


We have observed that four zero-day vulnerabilities in Microsoft Exchange servers, have been identified.

The zero days have been actively exploited in the wild by several “cyber-espionage groups”, whose targets not only include the United States, but other countries including Germany, France, Kazakhstan, and more.

The most dangerous of these vulnerabilities is a server-side request forgery (SSRF) bug. This bug, named Hafnium (CVE-2021-26855), is a SSRF vulnerability in Microsoft Exchange Server that does not require any authentication. A remote attacker could exploit this flaw by sending a specially crafted HTTP request to a vulnerable Exchange Server. Successful exploitation of this bug could allow the attacker to authenticate to the Exchange Server and exfiltrate data from users’ inboxes.

Note that only Exchange Servers that accept untrusted connections over port 443 are vulnerable to this flaw.

CVE-2021-26857 is an insecure deserialization vulnerability in Microsoft Exchange Server. Specifically, the flaw resides in the Exchange Unified Messaging Service, which enables voice mail functionality in addition to other features. To exploit this flaw, an attacker would need to be authenticated to the vulnerable Exchange Server with administrator privileges or exploit another vulnerability first. Successful exploitation would grant the attacker arbitrary code execution privileges as “SYSTEM”.

CVE-2021-26858 and CVE-2021-27065 are both arbitrary file write vulnerabilities in Microsoft Exchange Server. These flaws could only be exploited after the authentication to the vulnerable Exchange Server. This could be achieved by exploiting CVE-2021-26855 or by possessing stolen administrator credentials. Once authenticated, an attacker could arbitrarily write to any paths on the vulnerable server.



Affected Systems

  • Microsoft Exchange Server 2016 Cumulative Update 19
  • Microsoft Exchange Server 2019 Cumulative Update 8
  • Microsoft Exchange Server 2013 Cumulative Update 23
  • Microsoft Exchange Server 2019 Cumulative Update 7
  • Microsoft Exchange Server 2016 Cumulative Update 18


Microsoft released out-of-band patches for Microsoft Exchange Server on March 2 that address all four vulnerabilities exploited in the wild. You should immediately update to the latest version of Microsoft Exchange Server and apply the relevant security patches.

You should understand the importance of security updates, and the urgency with which they should be applied, no matter how large or small your organization is. It is very important to apply an efficient patch management solution and always have enabled an active event security logging and practice event monitoring. To protect the valuable assets of your business and be compliant with the relevant industry regulations requires a comprehensive approach to the management of risk, including Penetration Testing at least annually and upon significant changes.


Get the latest Threat Alerts in your inbox.