[ALERT] Advisory on Emergency patches for zero-day exploits in Microsoft Exchange


Microsoft has detected multiple 0-day exploits being used to attack on-premises versions of Microsoft Exchange Server in limited and targeted attacks. In the attacks observed, the threat actor used these vulnerabilities to access on-premises Exchange servers which enabled access to email accounts and allowed installation of additional malware to facilitate long-term access to victim environments. Microsoft Threat Intelligence Center (MSTIC) attributes this campaign with high confidence to HAFNIUM, a group assessed to be state-sponsored and operating out of China, based on observed victimology, tactic, and procedures.


  • Attacker can gain access to an Exchange server either with stolen passwords or by using the zero-days to disguise the hackers as personnel who should have access.
  • Attacker can create a web shell to control the compromised server remotely, and use that remote access to steal data from a target’s network.
  • These vulnerabilities are actively being exploited in limited and targeted attacks:
    • CVE-2021-26855 – A server-side request forgery (SSRF) vulnerability that could allow an attacker to use specially crafted web requests and authenticate as the Exchange Server
    •  CVE-2021-26857 – An insecure de-serialization vulnerability in the Unified Messaging service that could allow an attacker to run code with escalated privileges on the Exchange Server
    • CVE-2021-26858 and CVE-2021-27065 – Post-authentication arbitrary file-write vulnerabilities that could allow an authenticated attacker to upload files onto the server. It could authenticate by exploiting the CVE-2021-26855 SSRF vulnerability or by compromising a legitimate admin’s credentials.

Affected Systems    

  • Microsoft Exchange Server 2010 (Service Pack 3)
  •     Microsoft Exchange Server 2013
  •     Microsoft Exchange Server 2016
  •     Microsoft Exchange Server 2019


  • Administrators are strongly urged to install and patch to the latest Exchange Server security updates:
    • Exchange Server 2010 (RU 31 for Service Pack 3 – this is a Defense in Depth update)
    • Exchange Server 2013 (CU 23)
    •  Exchange Server 2016 (CU 19, CU 18)
    •  Exchange Server 2019 (CU 8, CU 7)