Skip to content
Docs
GitHub

CVE-2021-26855

ProxyLogon | CVE-2021-26857 | CVE-2021-26858 | CVE-2021-27065

Section titled “ProxyLogon | CVE-2021-26857 | CVE-2021-26858 | CVE-2021-27065”

ProxyLogon is the formally generic name for CVE-2021-26855, a vulnerability on Microsoft Exchange Server that allows an attacker bypassing the authentication and impersonating as the admin. We have also chained this bug with another post-auth arbitrary-file-write vulnerability, CVE-2021-27065, to get code execution. All affected components are vulnerable by default!

As a result, an unauthenticated attacker can execute arbitrary commands on Microsoft Exchange Server through an only opened 443 port!

Check if you are running the patched version here

Vulnerable Exchange versions

Section titled “Vulnerable Exchange versions”
  • Microsoft Exchange Server 2013
  • Microsoft Exchange Server 2016
  • Microsoft Exchange Server 2019

Patches for specific Exchange CU versions

Section titled “Patches for specific Exchange CU versions”

You will need to install the latest CU first to be compliant.

Release dateProductImpactSeverityArticleDownloadDetails
Mar 2, 2021Microsoft Exchange Server 2016 Cumulative Update 18Remote Code ExecutionCritical5000871Security UpdateCVE-2021-26855
Mar 2, 2021Microsoft Exchange Server 2019 Cumulative Update 7Remote Code ExecutionCritical5000871Security UpdateCVE-2021-26855
Mar 2, 2021Microsoft Exchange Server 2013 Cumulative Update 23Remote Code ExecutionCritical5000871Security UpdateCVE-2021-26855
Mar 2, 2021Microsoft Exchange Server 2019 Cumulative Update 8Remote Code ExecutionCritical5000871Security UpdateCVE-2021-26855
Mar 2, 2021Microsoft Exchange Server 2016 Cumulative Update 19Remote Code ExecutionCritical5000871Security UpdateCVE-2021-26855

Scanner

Section titled “Scanner”

Nmap .NSE file is created by Microsoft and can be found here.

{{% resources fa_icon_class=“far fa-file-pdf” pattern=”.*(nse)” /%}}

$ nmap -p 443 --script http-vuln-cve2021-26855 10.10.10.15

PORT    STATE SERVICE
443/tcp  open  https
| http-vuln-cve2021-26855:
|   VULNERABLE
|   Exchange Server SSRF Vulnerability
|     State: VULNERABLE
|     IDs:  CVE:CVE-2021-26855
|
|     Disclosure date: 2021-03-02
|     References:
|       http://aka.ms/exchangevulns

@args http-vuln-cve2021-26855.method The HTTP method for the request. The default method is "GET".

Exploit

Section titled “Exploit”

TO BE CONTINUED

Remediation / log analysis / detection of already created webshells

Section titled “Remediation / log analysis / detection of already created webshells”

Running identification script from Microsoft

Section titled “Running identification script from Microsoft”

https://github.com/microsoft/CSS-Exchange/raw/main/Security/Test-ProxyLogon.ps1

Welcome to the Exchange Management Shell!

[PS] C:\Users\Johndo-adm>.\Test-ProxyLogon.ps1 -OutPath $home\desktop\logs

Do you want to run software from this untrusted publisher?
File C:\Users\Johndo-adm\Test-ProxyLogon.ps1 is published by CN=Microsoft Corporation, O=Microsoft Corporation,
 L=Redmond, S=Washington, C=US and is not trusted on your system. Only run scripts from trusted publishers.
[V] Never run  [D] Do not run  [R] Run once  [A] Always run  [?] Help (default is "D"): R
ProxyLogon Status: Exchange Server EXCH01

  Nothing suspicious detected

Detection of already created webshells

Section titled “Detection of already created webshells”

Detect webshells dropped on Microsoft Exchange servers exploited through “proxylogon” group of vulnerabilites (CVE-2021-26855, CVE-2021-26857, CVE-2021-26858, CVE-2021-27065)

https://github.com/cert-lv/exchange_webshell_detection

Microsoft Safety Scanner (MSERT)

Section titled “Microsoft Safety Scanner (MSERT)”

Microsoft Safety Scanner is a scan tool designed to find and remove malware from Windows computers. Simply download it and run a scan to find malware and try to reverse changes made by identified threats.

URL List

Section titled “URL List”