There are currently still many Exchange servers that have not been provided with the urgently needed security updates. This is not just about the ProxyLogon and ProxyShell vulnerabilities, which have already been in April by corresponding updates, but now also by the vulnerability CVE-2021-42321, which is associated with the latest Exchange updates was closed.
The exploitation of ProxyLogon and ProxyShell has been reported for some time. TrendMicro, for example, is currently warning about the exploitation of the vulnerabilities:
TrendMicro has now observed that the above vulnerabilities are being used to send spam mails from their own Exchange server to users. For many users, the most important criterion for recognizing an email as spam or malware is therefore removed: The sender e-mail address comes from their own company. Most spam filters can also be bypassed in this way, as your own Exchange server is usually configured as an exception.
But the CERT-Bund has also already pointed out many vulnerable Exchange servers.
An exploit for the vulnerability CVE-2021-42321 is now publicly available:
So it won't be long before this vulnerability is also attacked automatically on a massive scale.
Exchange servers have very far-reaching authorizations in the Active Directory, so it is essential to install the available updates. There is a risk that ransomware could also find its way into the network by exploiting the vulnerabilities. CVE-2021-42321 offers all the prerequisites for this, in this case no user action is necessary and due to the far-reaching authorizations, ransomware could spread throughout the entire network. Due to Autodiscover, Exchange servers are very easy to find on the Internet, which makes automated and mass attacks even easier.
Another important note: Microsoft only ever publishes security updates for the current and previous CU. The updates from November are therefore available for Exchange 2016 CU21 and CU22, for example. However, this does not mean that CU20 or lower is not affected by the vulnerability. Anyone running Exchange Server with an older CU must therefore first install a supported CU; for Exchange 2016, for example, this is the current CU22. The available security update must then be installed.
Since the beginning of the year, there have been several critical vulnerabilities in Exchange Server, which are also being actively exploited. It is therefore essential that the available updates are installed. Here is a screenshot from a reader showing what happens if the latest updates are not installed on an Exchange Server:
Incidentally, the entire Active Directory had to be reinstalled in this case.