Security News > 2021 > March > New PoC for Microsoft Exchange bugs puts attacks in reach of anyone
Since Microsoft disclosed actively exploited Microsoft Exchange security vulnerabilities, known collectively as ProxyLogon, administrators and security researchers have been scrambling to protect vulnerable servers exposed on the Internet.
The PoC provided enough information that security researchers and threat actors could use it to develop a functional remote code execution exploit for Microsoft Exchange servers.
This weekend, a different security researcher published a new ProxyLogon PoC that requires very little modification to exploit a vulnerable Microsoft Exchange server and drop a web shell on it.
"It's within the reach of"script kiddie" now," warned Dormann in our discussion about the PoC. As you can see from the image below, Dormann used the exploit against a Microsoft Exchange server and remotely installed a web shell, and executed the 'whoami' command.
Didier Stevens, a senior analyst at NVISO and SANS ISC senior handler, also tested the exploit against a Microsoft Exchange virtual machine but did not have as much luck with the PoC. In a conversation with BleepingComputer, Stevens said that he tested the new PoC against an unpatched Exchange 2016 with no cumulative updates.
Stevens said that new information in the PoC released this weekend enabled him to get Jang's PoC working to achieve successful remote code execution against his Microsoft Exchange server.
News URL
Related news
- Microsoft fixes 6 zero-days under active attack (source)
- Microsoft: Exchange Online mistakenly tags emails as malware (source)
- Microsoft says it broke some Windows 10 patching – as it fixes flaws under attack (source)
- Microsoft Identifies Storm-0501 as Major Threat in Hybrid Cloud Ransomware Attacks (source)
- DOJ, Microsoft seize 107 domains used in Russia's Star Blizzard phishing attacks (source)
- Microsoft and DOJ disrupt Russian FSB hackers' attack infrastructure (source)