Description 

Security researches have detected active exploitation attempts of ProxyShell vulnerabilities patched by Microsoft in Exchange Servers back in May 2021.

The ProxyShell vulnerabilities being exploited by malicious actors are the following:

• Remote Code Execution Vulnerability – CVE-2021-34473

• Elevation of Privilege Vulnerability – CVE-2021-34523

• Security Feature Bypass Vulnerability – CVE-2021-31207

Affected systems

Microsoft Exchange Server 2013, 2016 and 2019

Security Risks

If the identified vulnerabilities in Microsoft Exchange Servers are left unpatched, malicious cyber actors can bypass Access Control Lists (ACLs) controls, elevate privileges on the Exchange ProxyShell backend, permitting the malicious actor to perform unauthenticated, remote code execution.

For the list of security patches released by Microsoft for Exchange servers, please refer to May 11, 2021 Microsoft Security Update

Recommended Actions

The National Cyber Security Authority (NCSA) strongly recommends to Microsoft Exchange Servers administrators to:

1. Apply, if not already done, the latest security updates for the Microsoft Exchange Servers in use in their institution via Security Update for Microsoft Exchange Server 2019, 2016 and 2013,

2. Regularly examine their systems for any malicious activity,

3. Prioritize installing security updates for Exchange Servers (On-Premise) that are internet facing,

4. Before any update task, please ensure you have good backup that can easily be restored.

For further information and support, please contact the National Cyber Security Authority (NCSA) by email to rwcsirt@ncsa.gov.rw or call us on 9009

Reference

• Description of the security update for Microsoft Exchange Server 2019, 2016, and 2013: May 11, 2021 (KB5003435)

• Urgent: Protect Against Active Exploitation of ProxyShell Vulnerabilities

• Microsoft Exchange Under Attack with ProxyShell Flaws

• Microsoft Security Update Guide