Expert released PoC exploit code for Microsoft Exchange CVE-2021-42321 RCE bug

A researcher has released a proof-of-concept exploit code for an actively exploited vulnerability affecting Microsoft Exchange servers.

The researcher Janggggg has published on Sunday a proof-of-concept exploit code for an actively exploited vulnerability, tracked as CVE-2021-42321, in Microsoft Exchange servers.

The CVE-2021-42321 is a high-severity remote code execution issue that occurs due to improper validation of cmdlet arguments. Microsoft pointed out that the flaw can be exploited only by an authenticated attacker.

Microsoft addressed the flaw with the release of Microsoft Patch Tuesday security updates for November 2021, the vulnerability impacts on-premises Exchange Server 2016 and Exchange Server 2019.

“We are aware of limited targeted attacks in the wild using one of vulnerabilities (CVE-2021-42321), which is a post-authentication vulnerability in Exchange 2016 and 2019. Our recommendation is to install these updates immediately to protect your environment.” read the announcement published by Microsoft. “These vulnerabilities affect on-premises Microsoft Exchange Server, including servers used by customers in Exchange Hybrid mode. Exchange Online customers are already protected and do not need to take any action.”

“As many ppl requested, Here is the PoC of CVE-2021-42321, Exchange Post-Auth RCE This PoC just pop mspaint.exe on the target, can be use to recognize the signature pattern of a successful attack event” wrote the researcher on Twitter.

According to the FAQ section included in the November 2021 Exchange Server Security Updates users can check if exploit was attempted on their servers before the fix for CVE-2021-42321 was put in place by running the following PowerShell query on their Exchange server to check for specific events in the Event Log:

Get-WinEvent -FilterHashtable @{ LogName='Application'; ProviderName='MSExchange Common'; Level=2 } | Where-Object { $_.Message -like "*BinaryFormatter.Deserialize*" }

There is no time to waste, experts are already observing threat actors scanning the web for vulnerable installs and exploit attempts.

In recent months, we observed a large number of attacks aimed at Microsoft Exchange installs carried out by both nation-state actors and financially-motivated attackers, for this reason, it is important to install the latest updates immediately. 

Follow me on Twitter: @securityaffairs and Facebook

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, Microsoft Exchange)

[adrotate banner=”5″]

[adrotate banner=”13″]