A Vietnamese researcher published a proof-of-concept exploit (PoC) for a high-severity vulnerability in Microsoft Exchange Server. An attacker could compromise an unpatched machine to execute arbitrary code remotely.
The PoC is for one of the four flaws that the National Security Agency (NSA) reported to Microsoft – CVE-2021-28482. The tech giant released a fix for them in April.
Despite the patches and the bug being the least severe of the four, it still poses a serious risk to certain companies, researchers warn.
A technical summary of PoC has been published by security researcher Nguyen Jang. The researcher previously released a PoC exploit for the notorious ProxyLogon vulnerabilities. In addition, the researcher also published a demo exploit for CVE-2021-28482 written in Python on GitHub. Will Dormann, a vulnerability analyst for CERT/CC, confirmed the validity of the code noting that attackers can exploit this deserialization vulnerability only if they are authenticated on an on-premise Exchange Server instance. The machine must not have been patched with Microsoft’s April updates. The fact that an attacker must be authenticated to perform the attack lowers the risk of compromise but do not eliminate it.
Despite Microsoft releasing patches for ProxyLogon vulnerabilities and the set reported by the NSA, not all companies have updated their Exchange servers.
Will Dormann commented that if a company “doesn’t have April’s Exchange patches installed, if you can imagine an AUTHENTICATED attacker is a possibility, then assume CVE-2021-28482 was used.”
Even if this vulnerability does not allow en-masse scanning or exploitation and therefore, is not as serious as ProxyLogon, it still poses a real risk:
“Any Exchange instance where a single user has a password that has been leaked, or any organization that has a single malicious or even just compromised insider is at risk if they have not installed April’s Exchange update.”
Dormann believes anyone running on-premise machines without Microsoft’s April updates with the server exposed to the public internet “is in trouble.”