Expert released PoC exploit code for Microsoft Exchange CVE-2021-42321 RCE bug

A researcher has released a proof-of-concept exploit code for an actively exploited vulnerability affecting Microsoft Exchange servers.

The researcher Janggggg has published on Sunday a proof-of-concept exploit code for an actively exploited vulnerability, tracked as CVE-2021-42321, in Microsoft Exchange servers.

The CVE-2021-42321 is a high-severity remote code execution issue that occurs due to improper validation of cmdlet arguments. Microsoft pointed out that the flaw can be exploited only by an authenticated attacker.

Microsoft addressed the flaw with the release of Microsoft Patch Tuesday security updates for November 2021, the vulnerability impacts on-premises Exchange Server 2016 and Exchange Server 2019.

“We are aware of limited targeted attacks in the wild using one of vulnerabilities (CVE-2021-42321), which is a post-authentication vulnerability in Exchange 2016 and 2019. Our recommendation is to install these updates immediately to protect your environment.” read the announcement published by Microsoft. “These vulnerabilities affect on-premises Microsoft Exchange Server, including servers used by customers in Exchange Hybrid mode. Exchange Online customers are already protected and do not need to take any action.”

“As many ppl requested, Here is the PoC of CVE-2021-42321, Exchange Post-Auth RCE This PoC just pop mspaint.exe on the target, can be use to recognize the signature pattern of a successful attack event” wrote the researcher on Twitter.

According to the FAQ section included in the November 2021 Exchange Server Security Updates users can check if exploit was attempted on their servers before the fix for CVE-2021-42321 was put in place by running the following PowerShell query on their Exchange server to check for specific events in the Event Log:

Get-WinEvent -FilterHashtable @{ LogName=’Application’; ProviderName=’MSExchange Common’; Level=2 } | Where-Object { $_.Message -like “*BinaryFormatter.Deserialize*” }

There is no time to waste, experts are already observing threat actors scanning the web for vulnerable installs and exploit attempts.

Just caught somebody in the wild trying to exploit CVE-2021-42321 to execute code on MailPot, by chaining it with ProxyShell (no, I don’t know why either – it doesn’t work).

— Kevin Beaumont (@GossiTheDog) November 22, 2021

In recent months, we observed a large number of attacks aimed at Microsoft Exchange installs carried out by both nation-state actors and financially-motivated attackers, for this reason, it is important to install the latest updates immediately. 

Follow me on Twitter: @securityaffairs and Facebook

Pierluigi Paganini

(SecurityAffairs – hacking, Microsoft Exchange)

The post Expert released PoC exploit code for Microsoft Exchange CVE-2021-42321 RCE bug appeared first on Security Affairs.

Recent Posts
Contact Us

We're not around right now. But you can send us an email and we'll get back to you, asap.

Not readable? Change text. captcha txt