Microsoft Exchange - ProxyLogon Backdoor Webshells (CVE-2021-26855, CVE-2021-27065) (CVE-2021-26855, CVE-2021-27065)
- CVSSv3 Score
- Vulnerability description
The Exchange server has been compromised by malicious actors and at least one backdoor webshell was left on the system. This webshell is typically used by attackers to execute arbitrary remote commands on the server with the privileges of the most powerful Windows user
- Risk description
Even though the Exchange server may be patched right now, the attackers have exploited it before the update using the ProxyLogon attack and they have left this backdoor.
Run the Microsoft Safety Scanner tool that is designed to find and remove any webshells or other malware from the server: https://docs.microsoft.com/en-us/windows/security/threat-protection/intelligence/safety-scanner-download Furthermore, ensure that the Exchange server is patched so it is no longer vulnerable to ProxyLogon. Since the attackers have already gained full access to the system, you should assume that sensitive data (ex. emails) has been compromised and we suggest implementing an internal investigation to uncover the full implications of this attack.
- ProxyLogon Backdoor Webshells