Advisory: 0-day RCE Vulnerability in Microsoft Exchange Actively Exploited by Threat Actors

RCE vulnerability targeting MS Exchange servers that enable attackers to compromise Internet-facing instances. The zero-day vulnerability is being actively exploited by threat actors to target Windows users.
Updated on
April 19, 2023
Published on
November 19, 2021
Read MINUTES
5
Subscribe to the latest industry news, threats and resources.
Category Vulnerability Intelligence
Vulnerability Class Remote Code Execution (RCE Vulnerability)
CVE ID CVE-2021-31206
CVSS:3.0 Score 7.6 High-Risk
Target Windows Server 2019/2016/2013
Reference *https://en.wikipedia.org/wiki/Intelligence_source_and_information_reliability #https://en.wikipedia.org/wiki/Traffic_Light_Protocol

Executive Summary

  • CVE-2021-31206 is an unauthenticated RCE vulnerability targeting MS Exchange servers that enable attackers to compromise Internet-facing instances.
  • The zero-day vulnerability is being actively exploited by threat actors to target Windows users.
  • This vulnerability can be exploited to run arbitrary code in the target system. However, it requires an authenticated user, in a specific exchange role, to be compromised.
 

Analysis

Technical Details

  • CVE-2021-31206 is a flaw in the parsing of archive-file format for Microsoft Windows or CAB(Cabinet) files.
  • When handling filenames specified within a CAB file, the process does not properly validate a user-supplied path prior to using it in file operations.
  • An attacker can leverage this, in conjunction with other vulnerabilities, to execute arbitrary code in the context of SYSTEM.
 

Affected Platforms

Windows Platform Build Version
Windows Server  2013/ CU23/2016 CU20/2016 CU21/2019 CU10

Information from Cybercrime Forums

CloudSEK’s Threat Intelligence Research team has observed that the exploit code for this vulnerability is available with multiple threat actors and is being actively exploited by following threat groups:
  • Ransomware Operators
  • Advanced Persistent Threats
  • Access Brokers 
Sample activities of threat actors, especially access brokers, on underground forums, enquiring for a working exploit code for the vulnerability. Darkweb post about CVE-2021-31206 - RCE vulnerability Darkweb post about CVE-2021-31206 - RCE vulnerability

Impact & Mitigation

Impact

  • RCE vulnerabilities allow attackers to execute commands and gain control over victims' systems. 
  • Attackers can use RCE in vulnerable Exchange servers to get initial access to internal networks. 
  • Attackers can then laterally move across internal networks to further the attack by deploying ransomware or by exfiltrating critical information. 

Mitigation

Patches for various Microsoft Exchange product versions were released on 13 July 2021: 
Product Article
Microsoft Exchange Server 2019 Cumulative Update 10 5004780
Microsoft Exchange Server 2016 Cumulative Update 21 5004779
Microsoft Exchange Server 2013 Cumulative Update 23 5004778
Microsoft Exchange Server 2016 Cumulative Update 20 5004779
Microsoft Exchange Server 2019 Cumulative Update 9 5004780
 

Get Global Threat Intelligence on Real Time

Protect your business from cyber threats with real-time global threat intelligence data.. 30-day free and No Commitment Trial.
Schedule a Demo
Real time Threat Intelligence Data
More information and context about Underground Chatter
On-Demand Research Services
Dashboard mockup
Global Threat Intelligence Feed

Protect and proceed with Actionable Intelligence

The Global Cyber Threat Intelligence Feed is an innovative platform that gathers information from various sources to help businesses and organizations stay ahead of potential cyber-attacks. This feed provides real-time updates on cyber threats, including malware, phishing scams, and other forms of cybercrime.
Trusted by 400+ Top organisations