Security News > 2021 > August > Microsoft Exchange ProxyToken bug can let hackers steal user email

Technical details have emerged on a serious vulnerability in Microsoft Exchange Server dubbed ProxyToken that does not require authentication to access emails from a target account.

An attacker can exploit the vulnerability by crafting a request to web services within the Exchange Control Panel application and steal messages from a victim's inbox.

Tracked as CVE-2021-33766, ProxyToken gives unauthenticated attackers access to the configuration options of user mailboxes, where they can define an email forwarding rule.

In Microsoft Exchange deployments where the "Delegated Authentication" feature is active, the frontend forwards the requests that need authentication to the backend, which identifies them by the presence of a 'SecurityToken' cookie.

The default configuration of Microsoft Exchange does not load for the backend ECP site the module responsible for delegating the validation process.

As in the case of ProxyShell vulnerabilities, if administrators of Microsoft Exchange servers have not installed the patches for ProxyToken, they should prioritize the task.

News URL

https://www.bleepingcomputer.com/news/security/microsoft-exchange-proxytoken-bug-can-let-hackers-steal-user-email/