Skip to main content

The ACSC has observed targeting of the Microsoft Exchange ProxyShell vulnerability by Malicious actors.

Alert status
HIGH

Background / What has happened?

The ACSC is tracking three vulnerabilities (CVE-2021-34473, CVE-2021-34523, CVE-2021-31207 known collectively as ProxyShell) in Microsoft Exchange Servers that allow for unauthenticated remote code execution and arbitrary file upload with elevated privileges.

It is likely that threat actors will actively exploit these vulnerabilities against vulnerable Microsoft Exchange Servers.

  • CVE-2021-34473 provides a mechanism for pre-authentication remote code execution, enabling malicious actors to remotely execute code on an affected system. 
  • CVE-2021-34523 enables malicious actors to execute arbitrary code post-authentication on Microsoft Exchange servers due to a flaw in the PowerShell service not properly validating access tokens.
  • CVE-2021-31207 enables post-authentication malicious actors to execute arbitrary code in the context of SYSTEM and write arbitrary files.

Microsoft released patches to these vulnerabilities in April and May 2021.

Additional information can be found in the Microsoft advisories:

Mitigation / How do I stay secure?

The ACSC strongly recommends that organisations urgently:

  • Review their networks for vulnerable instances of Microsoft Exchange Servers.
  • Update their Microsoft Exchange Servers as identified in the Microsoft Advisories above.
  • Identify evidence of exploitation activity by reviewing proxy logs for requests to autodiscover/autodiscover.json with response code 200, 301 or 302 and containing one of the following strings:
    • powershell
    • mapi/nspi
    • mapi/emsmdb
    • EWS/
    • X-Rps-CAT

Microsoft has released security patches for the following versions of Microsoft Exchange:

  • Microsoft Exchange Server 2013
  • Microsoft Exchange Server 2016
  • Microsoft Exchange Server 2019 

Assistance/ where can I go for help?

The ACSC is monitoring the situation and is able to provide assistance and advice as required. Organisations that have been impacted or require assistance can contact the ACSC via 1300 CYBER1 (1300 292 371). The ACSC also recommends that organisations implement web shell mitigation steps.