Microsoft released November 2021 security updates for Exchange Server that addresses actively exploited high severity vulnerabilities reported by security partners and found through Microsoft’s internal processes. Microsoft also admitted that one of these vulnerabilities (CVE-2021-42321) is currently under attack. It is a post-authentication vulnerability found in Exchange 2016 and 2019.
On-premises Microsoft Exchange Servers
Microsoft stated that these vulnerabilities affect on-premises Microsoft Exchange Server, including servers in Exchange Hybrid mode. However, Exchange Online users are safe and don’t need to take action against vulnerabilities. Microsoft also urged users to install the updates as soon as possible.
Approximately two weeks after Microsoft’s release, a cybersecurity researcher, published a proof-of-concept exploit for the high severity vulnerability.
As many ppl requested,
Here is the PoC of CVE-2021-42321, Exchange Post-Auth RCE
This PoC just pop mspaint.exe on the target, can be use to recognize the signature pattern of a successful attack event https://t.co/mTbOFz94qM— Janggggg (@testanull) November 21, 2021
Users who want to check if any of your vulnerable Exchange servers have already been targeted by this vulnerability can run the following PowerShell query on each server to detect specific events:
Get-EventLog -LogName Application -Source "MSExchange Common" -EntryType Error | Where-Object { $_.Message -like "*BinaryFormatter.Deserialize*" }