HomePentest-Tools.com Logo

Microsoft Exchange - ProxyLogon Backdoor Webshells (CVE-2021-26855, CVE-2021-27065) (CVE-2021-26855, CVE-2021-27065)

Severity
CVSSv3 Score
9.8
Vulnerability description

The Exchange server has been compromised by malicious actors and at least one backdoor webshell was left on the system. This webshell is typically used by attackers to execute arbitrary remote commands on the server with the privileges of the most powerful Windows user nt-authority/system.

Risk description

Even though the Exchange server may be patched right now, the attackers have exploited it before the update using the ProxyLogon attack and they have left this backdoor.

Recommendation

Run the Microsoft Safety Scanner tool that is designed to find and remove any webshells or other malware from the server: https://docs.microsoft.com/en-us/windows/security/threat-protection/intelligence/safety-scanner-download Furthermore, ensure that the Exchange server is patched so it is no longer vulnerable to ProxyLogon. Since the attackers have already gained full access to the system, you should assume that sensitive data (ex. emails) has been compromised and we suggest implementing an internal investigation to uncover the full implications of this attack.

Codename
ProxyLogon Backdoor Webshells
Detectable with
Network Scanner
Exploitable with Sniper
No
Vuln date
Mar 2021
Published at
Updated at
Software Type
Email server
Vendor
Microsoft
Product
Exchange Server