Detect Microsoft Exchange RCE #proxynotfound with our Network Vulnerability Scanner

Author(s)
Andra Zaharia Head of Content & Community

Updated at: April 29, 2024

Running on-prem Microsoft Exchange servers?

If you didn’t catch the NSA boilerplate announcement, there’s another batch of vulnerabilities to scan for – and we built what you need.

We just added a new detection module to our Network Vulnerability Scanner. It checks if your Exchange servers are vulnerable to the attack chain that exploits four recent CVEs and results in Remote Code Execution.

Ours is the second scanning tool of its kind in the world that can identify vulnerable servers remotely. That means you can probe systems by connecting to the target through the network, without local access or credentials.

Here’s why we built it.

No advisory? No PoC? No problem!

Since these CVEs were published (April 13, 2021), we’ve been looking for a detailed technical advisory – but it never came. No solid PoC exploit scripts surfaced either, so we took matters into our own hands.

Our team built a detection module that identifies Exchange servers vulnerable to the combination of pre-auth and post-auth vulnerabilities the NSA disclosed:

CVE-2021-28480 – CVSSv3 9.8
CVE-2021-28481 – CVSSv3 9.8
CVE-2021-28482 – CVSSv3 8.8
CVE-2021-28483 – CVSSv3 9.0

Bad actors love these because the first two vulns don’t even require authenticating to the exposed Exchange Server. All they have to do is to do thorough recon and send specially crafted requests to their target to get RCE.

If you’ve already dealt with ProxyLogon (for which we launched a dedicated scanner in March), know these security weaknesses have a similar operation model.

Detect the Micrososft Exchange RCE

Find exposed servers with the Network Vulnerability Scanner

Scan your targets

Patched or not? Detect the #proxynotfound attack chain

A malicious actor can only exploit the last two CVEs in this batch if they authenticate to the vulnerable Exchange Server. But, by chaining two of these flaws, they can skip that step altogether.

In April, we saw attackers use the same approach when they combined ProxyLogon with post-auth vulns to embed web shells and achieve persistence on unpatched Exchange servers. While this is not a replica of the ProxyLogon situation, we can use that cautionary tale to guide remediation efforts.

Once you know which servers need patching, you can deploy the cumulative update Microsoft released for these issues.

microsoft cumulative update proxynotfound

Get fresh security research

In your inbox. (No fluff. Actionable stuff only.)

OWASP & CWE vuln classifcation added, wordlist limit increased, and more updates

New modules, methods & payload - April updates

Platform updates

Visualize exploit paths with the Sniper network graph

Whether working in offensive or defensive security, we all see it: high-risk, widespread vulnerabilities cause significant disruptions to already struggling security teams.

Author(s)

Andra Zaharia

Published at: 23 Jun 2022

Platform updates

April updates: Get RCE evidence for 6 critical CVEs

After weeks of working on auto-exploitation for this critical CVE (CVSSv3 9.8), we finally have it! As a Pentest-Tools.com customer, you can run Sniper Auto-Exploiter to get conclusive proof that validates targets vulnerable to this high-risk vulnerability, which bad actors have already shown interest in.

Author(s)

Ioana Rijnetu

Published at: 05 May 2022

Platform updates

March updates: Spring4Shell: find and confirm exploitable targets and more updates

If you instantly thought of Log4Shell when Spring4Shell emerged just a few days ago, you’re not alone. A coolheaded analysis reveals this CVE is not as severe as last year’s Log4j vulnerability. Nevertheless, it remains a priority in terms of detection and patching. Here’s why.

Author(s)