Europe Confirms Record €4.1B Penalty Against Google for Android Practices|U.S. CISA adds a Microsoft SharePoint Server flaw to its Known Exploited Vulnerabilities catalog|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|Europe Confirms Record €4.1B Penalty Against Google for Android Practices|U.S. CISA adds a Microsoft SharePoint Server flaw to its Known Exploited Vulnerabilities catalog|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|
Advertisement

Ad Placeholder

Full Width × 90

Breaking News

Expert released PoC exploit code for Microsoft Exchange CVE-2021-42321 RCE bug

A researcher has released a proof-of-concept exploit code for an actively exploited vulnerability affecting Microsoft Exchange servers. The researcher Janggggg has published on Sunday a proof-of-concept exploit code for an actively exploited vulnerability, tracked as CVE-2021-42321, in Microsoft Exchange servers. The CVE-2021-42321 is a high-severity remote code execution issue that occurs due to improper validation of […]

Microsoft Exchange server Lockbit zero-day

A researcher has released a proof-of-concept exploit code for an actively exploited vulnerability affecting Microsoft Exchange servers.

The researcher Janggggg has published on Sunday a proof-of-concept exploit code for an actively exploited vulnerability, tracked as CVE-2021-42321, in Microsoft Exchange servers.

The CVE-2021-42321 is a high-severity remote code execution issue that occurs due to improper validation of cmdlet arguments. Microsoft pointed out that the flaw can be exploited only by an authenticated attacker.

Microsoft addressed the flaw with the release of Microsoft Patch Tuesday security updates for November 2021, the vulnerability impacts on-premises Exchange Server 2016 and Exchange Server 2019.

“We are aware of limited targeted attacks in the wild using one of vulnerabilities (CVE-2021-42321), which is a post-authentication vulnerability in Exchange 2016 and 2019. Our recommendation is to install these updates immediately to protect your environment.” read the announcement published by Microsoft. “These vulnerabilities affect on-premises Microsoft Exchange Server, including servers used by customers in Exchange Hybrid mode. Exchange Online customers are already protected and do not need to take any action.”

“As many ppl requested, Here is the PoC of CVE-2021-42321, Exchange Post-Auth RCE This PoC just pop mspaint.exe on the target, can be use to recognize the signature pattern of a successful attack event” wrote the researcher on Twitter.

According to the FAQ section included in the November 2021 Exchange Server Security Updates users can check if exploit was attempted on their servers before the fix for CVE-2021-42321 was put in place by running the following PowerShell query on their Exchange server to check for specific events in the Event Log:

Get-WinEvent -FilterHashtable @{ LogName='Application'; ProviderName='MSExchange Common'; Level=2 } | Where-Object { $_.Message -like "*BinaryFormatter.Deserialize*" }

There is no time to waste, experts are already observing threat actors scanning the web for vulnerable installs and exploit attempts.

https://twitter.com/GossiTheDog/status/1462831929955438597

In recent months, we observed a large number of attacks aimed at Microsoft Exchange installs carried out by both nation-state actors and financially-motivated attackers, for this reason, it is important to install the latest updates immediately. 

Follow me on Twitter: @securityaffairs and Facebook

[adrotate banner=”9″][adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, Microsoft Exchange)

[adrotate banner=”5″]

[adrotate banner=”13″]