ProxyLogon is the formally generic name for CVE-2021-26855, a vulnerability on Microsoft Exchange Server that allows an attacker bypassing the authentication and impersonating as the admin. We have also chained this bug with another post-auth arbitrary-file-write vulnerability, CVE-2021-27065, to get code execution. All affected components are vulnerable by default!
As a result, an unauthenticated attacker can execute arbitrary commands on Microsoft Exchange Server through an only opened 443 port!
Check if you are running the patched version here
You will need to install the latest CU first to be compliant.
|Mar 2, 2021||Microsoft Exchange Server 2016 Cumulative Update 18||Remote Code Execution||Critical||5000871||Security Update||CVE-2021-26855|
|Mar 2, 2021||Microsoft Exchange Server 2019 Cumulative Update 7||Remote Code Execution||Critical||5000871||Security Update||CVE-2021-26855|
|Mar 2, 2021||Microsoft Exchange Server 2013 Cumulative Update 23||Remote Code Execution||Critical||5000871||Security Update||CVE-2021-26855|
|Mar 2, 2021||Microsoft Exchange Server 2019 Cumulative Update 8||Remote Code Execution||Critical||5000871||Security Update||CVE-2021-26855|
|Mar 2, 2021||Microsoft Exchange Server 2016 Cumulative Update 19||Remote Code Execution||Critical||5000871||Security Update||CVE-2021-26855|
Nmap .NSE file is created by Microsoft and can be found here.
$ nmap -p 443 --script http-vuln-cve2021-26855 10.10.10.15 PORT STATE SERVICE 443/tcp open https | http-vuln-cve2021-26855: | VULNERABLE | Exchange Server SSRF Vulnerability | State: VULNERABLE | IDs: CVE:CVE-2021-26855 | | Disclosure date: 2021-03-02 | References: | http://aka.ms/exchangevulns @args http-vuln-cve2021-26855.method The HTTP method for the request. The default method is "GET".
TO BE CONTINUED
Welcome to the Exchange Management Shell! [PS] C:\Users\Johndo-adm>.\Test-ProxyLogon.ps1 -OutPath $home\desktop\logs Do you want to run software from this untrusted publisher? File C:\Users\Johndo-adm\Test-ProxyLogon.ps1 is published by CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US and is not trusted on your system. Only run scripts from trusted publishers. [V] Never run [D] Do not run [R] Run once [A] Always run [?] Help (default is "D"): R ProxyLogon Status: Exchange Server EXCH01 Nothing suspicious detected
Detect webshells dropped on Microsoft Exchange servers exploited through “proxylogon” group of vulnerabilites (CVE-2021-26855, CVE-2021-26857, CVE-2021-26858, CVE-2021-27065)
Microsoft Safety Scanner is a scan tool designed to find and remove malware from Windows computers. Simply download it and run a scan to find malware and try to reverse changes made by identified threats.