SUBJECT: Microsoft Exchange Server Remote Code Execution Vulnerability
TECH STACK: MICROSOFT EXCHANGE SERVER
DATE(S) ISSUED: JULY 13 and NOVEMBER 9, 2021
Microsoft Exchange Server Remote Code Execution Vulnerability. This three-part
pre-authentication remote code execution vulnerability on Microsoft Exchange Server
allows an attacker to bypass the authentication, impersonate an arbitrary user, and write
an arbitrary file to achieve remote code execution. By taking advantage of this
vulnerability, attackers can execute arbitrary commands on the remote Microsoft
This vulnerability affects Exchange 2013 CU23 versions before 15.0.1497.15, Exchange 2016 CU19 versions before 15.1.2176.12, Exchange 2016 CU20 versions before 15.1.2242.5, Exchange 2019 CU8 versions before 15.2.792.13, and Exchange 2019 CU9 versions before 15.2.858.9.
This vulnerability is being actively exploited in the wild by multiple APT groups, including
LockFile Ransomware and others.
“Exchange Online” customers are protected (but must make sure that all hybrid
Exchange servers are updated).
If you are using Microsoft Exchange server and if you have not installed the January
2022 Exchange Server Security Updates on your Exchange servers, then your servers
and data are vulnerable:
1. Inventory your Exchange Servers / determine which updates are needed
2. Use the Exchange Server Health Checker script (use the latest release) to
inventory your servers. Running this script will tell you if any of your Exchange
Servers are behind on updates (CUs and SUs)
3. Backup Exchange IIS/Server logs. Go to https://aka.ms/ExchangeUpdateWizard
and choose your currently running CU and your target CU to get directions for
your environment. At the time of this writing (04/07/2022), the January 2022
Exchange Server Security Updates can be found here.
● PLEASE NOTE: Patching only ensures that the vulnerability cannot be
further exploited. If you have already been breached, the software patches
do not address post-exploit behavior by a threat actor
4. Identify and investigate your exposure windows for adversarial activity
● Identify and delete web shells and malicious binaries
● Review process activity for instances of w3wp.exe
● Identify and remove any persistence established by an actor