Advisory: 0-day RCE Vulnerability in Microsoft Exchange Actively Exploited by Threat Actors

Executive Summary

• CVE-2021-31206 is an unauthenticated RCE vulnerability targeting MS Exchange servers that enable attackers to compromise Internet-facing instances.
• The zero-day vulnerability is being actively exploited by threat actors to target Windows users.
• This vulnerability can be exploited to run arbitrary code in the target system. However, it requires an authenticated user, in a specific exchange role, to be compromised.

Analysis

Technical Details

• CVE-2021-31206 is a flaw in the parsing of archive-file format for Microsoft Windows or CAB(Cabinet) files.
• When handling filenames specified within a CAB file, the process does not properly validate a user-supplied path prior to using it in file operations.
• An attacker can leverage this, in conjunction with other vulnerabilities, to execute arbitrary code in the context of SYSTEM.

Affected Platforms

Information from Cybercrime Forums

CloudSEK’s Threat Intelligence Research team has observed that the exploit code for this vulnerability is available with multiple threat actors and is being actively exploited by following threat groups:

• Ransomware Operators
• Advanced Persistent Threats
• Access Brokers 

Sample activities of threat actors, especially access brokers, on underground forums, enquiring for a working exploit code for the vulnerability.

Impact & Mitigation

Impact

• RCE vulnerabilities allow attackers to execute commands and gain control over victims’ systems. 
• Attackers can use RCE in vulnerable Exchange servers to get initial access to internal networks. 
• Attackers can then laterally move across internal networks to further the attack by deploying ransomware or by exfiltrating critical information. 

Mitigation

Patches for various Microsoft Exchange product versions were released on 13 July 2021: