ExtraHop Logo
Try ExtraHop
Menu iconX icon
  • Platformchevron right
  • Solutionschevron right
  • Modern NDRchevron right
  • Resourceschevron right
  • Companychevron right
User iconSign In
Contact Us

DETECTION OVERVIEW

Microsoft Exchange Exploit Attempt - CVE-2021-42321

Risk Factors

An attacker with network access to an unpatched Microsoft Exchange Server can exploit this vulnerability with public exploit code. An attacker can run code with SYSTEM privileges and gain complete control of a device.

Kill Chain

Exploitation

Risk Score

83

Detection diagram
Next in Exploitation: Microsoft Exchange Server Deserialization Exploit Attempt - [Multiple CVEs]

Attack Background

Microsoft Exchange has a remote code execution (RCE) vulnerability in the Exchange Web Services (EWS) endpoint, /ews/exchange.asmx. To exploit the vulnerability, the attacker submits a series of consecutive HTTP requests with SOAP messages. SOAP is an XML-based message protocol. First, the attacker sends a SOAP message that results in the exposure of inbox variable values. With these values, the attacker can delete existing user configurations for the inbox. Next, the attacker uploads a new user configuration by sending an HTTP request with a SOAP message that contains a malicious serialized payload. Finally, the attacker sends another SOAP message that causes the Exchange server to read the new user configuration and deserialize the malicious payload, running code on the victim.

Mitigation Options

Install patches for relevant versions

MITRE ATT&CK ID

What else can RevealX do for you?

View our Periodic Table of use casesArrow pointing right