Several flaws in Microsoft Exchange Server disclosed over the last two years continue to be valuable exploits for attackers as part of ransomware and targeted attacks against organizations that have yet to patch their systems. Patching the flaws outlined below is strongly recommended.
Over the last few years, threat actors from all walks of life have begun to favor a class of exploits found in Microsoft Exchange Server, a popular mail server used by tens of thousands of organizations around the world.
This shift began following the disclosure of ProxyLogon (CVE-2021-26855) and related vulnerabilities (CVE-2021-26857, CVE-2021-26858, CVE-2021-27065) in March 2021. These vulnerabilities were originally exploited in the wild as zero days by a state-sponsored threat actor known as HAFNIUM.
In August 2021, following the disclosure of another set of Exchange Server vulnerabilities, dubbed ProxyShell, attackers actively searched for vulnerable Exchange Server instances to target. Both ProxyLogon and ProxyShell continue to be exploited over a year after they were disclosed and patched.