Sign In
- Platform
- Solutions
- Modern NDR
- Resources
- Company
Platform
Modern NDR
Resources
Platform
Modern NDR
Resources
DETECTION OVERVIEW
Risk Factors
Unpatched Microsoft Exchange Servers exposed to the internet can be exploited by unauthenticated attackers. Multiple Exchange Server vulnerabilities that lead to remote code execution (RCE) are well known. Public code helps attackers exploit these vulnerabilities, enabling them to steal sensitive email communications or install malware to facilitate additional attacks.
Kill Chain
Risk Score
87
Microsoft Exchange Server front-end architecture, which acts as a proxy for the back-end server, includes a vulnerability that can be linked to other Exchange Server vulnerabilities in an attack chain. The first vulnerability in the chain, CVE-2021-26855, enables server-side request forgery (SSRF) attacks. In an SSRF attack, the attacker sends an SSRF request (an HTTP request with a forged malicious cookie) to the front-end Internet Information Services (IIS) component of the Exchange Server. This IIS component accepts the malicious cookie, forwarding the request to the back-end IIS component for processing. The SSRF request results in the exposure of sensitive Exchange Server information, such as an administrator security identifier (SID). With a SID, the attacker can bypass authentication with another SSRF request that allows the attacker to log into the back-end server as an administrator. After logging in, the attacker exploits additional vulnerabilities in the attack chain (CVE-2021-26858 and CVE-2021-27065) to write files to the Exchange server and achieve remote code execution (RCE).
