Contact us: (949) 287-3374

New 0-day on Microsoft Exchange…

By Przemek

Devcore team is still on the wave, this time they scooped up $200.000 (under the ZDI program) for another 0day exploit on Microsoft Exchange. This time there aren’t any patches available, but probably they will be very soon

We have conducted a security audit for California services regarding the vulnerability in Microsoft Exchange systems. We came across reports showing that last vulnerability CVE-2021-26855 is still not patched in many of companies. The initial attack requires the ability to make an untrusted connection to Exchange server port 443.

The attacker can use the vulnerability to steal the full contents of several user mailboxes. This vulnerability is remotely exploitable and does not require authentication of any kind, nor does it require any special knowledge or access to a target environment.

Even ACER were hit with ransomware exploited through this vulnerability (read here).

Patch for CVE-2021-26855 is available since Mar 2, 2021. So probably administrators of those unpatched services are waiting for uninvited guests