Published: 14/07/2021 Updated: 28/12/2023

CVSS v2 Base Score: 10 | Impact Score: 10 | Exploitability Score: 10

CVSS v3 Base Score: 9.1 | Impact Score: 5.2 | Exploitability Score: 3.9

VMScore: 895

Vector: AV:N/AC:L/Au:N/C:C/I:C/A:C

This vulnerability allows remote malicious users to execute arbitrary code on affected installations of Microsoft Exchange Server. Authentication is not required to exploit this vulnerability. The specific flaw exists within the Autodiscover service. The issue results from the lack of proper validation of URI prior to accessing resources. An attacker can leverage this in conjunction with other vulnerabilities to execute arbitrary code in the context of SYSTEM.

Vulnerable Product	Search on Vulmon	Subscribe to Product
microsoft exchange server 2013
microsoft exchange server 2019
microsoft exchange server 2016

This Metasploit module exploits a vulnerability on Microsoft Exchange Server that allows an attacker to bypass the authentication, impersonate an arbitrary user, and write an arbitrary file to achieve remote code execution By taking advantage of this vulnerability, you can execute arbitrary commands on the remote Microsoft Exchange Server This vu ...

Proof of Concept for CVE-2021-34473, CVE-2021-34523, and CVE-2021-31207

ProxyShell Proof of Concept Exploit for Microsoft Exchange CVE-2021-34473, CVE-2021-34523, CVE-2021-31207 Details For background information and context, read the blog post detailing the research by Horizon3: wwwhorizon3ai/news/blog/proxyshell Features No email address needs to be supplied Attempts to enumerate emails from Active Directory Attempts to enumerate Legac

A collection of intelligence about Log4Shell and its exploitation activity.

Log4Shell-IOCs Members of the Curated Intelligence Trust Group have compiled a list of IOC feeds and threat reports focused on the recent Log4Shell exploit targeting CVE-2021-44228 in Log4j (Blog | Twitter | LinkedIn) Analyst Comments: 2021-12-13 IOCs shared by these feeds are LOW-TO-MEDIUM CONFIDENCE we strongly recommend NOT adding them to a blocklist These could potential

Babuk-Ransomware RELATED IOCs, MITIGATION STEPS AND REFERENCE LINKS Common Vulnerabilities and Exposures (CVE) CVE-2021-34473, CVE-2021-34523 and CVE-2021-31207 IOCs(Indicators of compromise) PAYLOAD:- bd26b65807026a70909d38c48f2a9e0f8730b1126e80ef078e29e10379722b49 RELATED SAMPLES: b3b66f7e70f1e1b1494677d0ed79fcc7d4901ffae53d89fd023c8b789bb0fe62 - reverse shell to 185[]219[]

A massive scanner for CVE-2021-34473 Microsoft Exchange Windows Vulnerability

CVE-2021-34473-NMAP-SCANNER A massive scanner for CVE-2021-34473 Microsoft Exchange Windows Vulnerability Commands nmap -iR 500000 -n -p 443 --script cve202134473nse > scan500ktxt nmap websitecom -n -p 443 --script cve202134473nse Example Starting Nmap 792 ( nmaporg ) at 2022-11-16 08:17 Hora PadrÒo de Greenwic

Indicadores de compromiso del grupo cibercriminal HIVE, relacionado al reciente ataque de la C.C.S.S de Costa Rica 🇨🇷

HIVE-INDICADORES-DE-COMPROMISO-IOCs Indicadores de compromiso del grupo cibercriminal HIVE, relacionado al reciente ataque de la CCSS de Costa Rica 🇨🇷 El 31 de Mayo del 2022, en horas de la madrugada se registro un posible ciberataque a los sistemas de la caja costarricense del seguro social CCSS de tipo ransomware y exfiltracion de datos, en respuesta al cieberat

A simple script to check for ProxyShell

ProxyShell-CVE-2021-34473 A simple script to check for ProxyShell

syllabus Introduction Defination Framework MITRE ATT&CK MITRE CALDERA Introduction configuration Use Case 2 Initial Access Public-Facing Exploit CVE-2022-6099 PHP-810 RCE CVE-2021-34473 CVE-2021-21972 Client Side Macro Attack XML macro SYLK DDE ActiveX Social Engineering Internal Responder Shell Command Files XSL

nuclei scanner for proxyshell ( CVE-2021-34473 )

Proxyshell-Scanner nuclei scanner for Proxyshell RCE (CVE-2021-34423,CVE-2021-34473,CVE-2021-31207) discovered by orange tsai in Pwn2Own, which affect microsoft exchange server POC Resource blogorangetw/2021/08/proxylogon-a-new-attack-surface-on-ms-exchange-part-1html blogorangetw/2021/08/proxyoracle-a-new-attack-surface-on-ms-exchange-part-2html https:/

Scanner for CVE-2021-34473, ProxyShell, A Microsoft Exchange On-premise Vulnerability

CVE-2021-34473-scanner Scanner for CVE-2021-34473, ProxyShell, A Microsoft Exchange On-premise Vulnerability To test machines one by one, use scanner-CVE-2021-34473bat: scanner-CVE-2021-34473bat mailexemplefr To test multiple machines at once, use mass-scanner and add ip/FQDN to check, one by line, in servers-to-checktxt: mass-scanner-CVE-2021-34473bat Remediation dependi

Scanner for CVE-2021-34473, ProxyShell, A Microsoft Exchange On-premise Vulnerability

CVE-2021-34473 Microsoft Exchange Server Remote Code Execution Vulnerability

CVE-2021-34473 CVE-2021-34473 Microsoft Exchange Server Remote Code Execution Vulnerability Reproducing ProxyShell Exploit y4yspace/2021/08/12/my-steps-of-reproducing-proxyshell/ This is NOT your Cyberweapon just a experimental PoC

ProxyShell Scanner

CVE-2021-34473 python38 proxyshell_scannerpy --help usage: proxyshell_scannerpy [-h] [--thread THREAD] --file FILE --output OUTPUT optional arguments: -h, --help show this help message and exit --thread THREAD --file FILE --output OUTPUT

POC for scanning ProxyShell(CVE-2021-34523,CVE-2021-34473,CVE-2021-31207)

ProxyShell_POC POC for scanning ProxyShell(CVE-2021-34523,CVE-2021-34473,CVE-2021-31207) usage: python3 Proxyshellpy {ip}

data_from_pentest

Themes for Repeat: Enumeration (Linux, Windows) Which new tools I learn and for what purpose? Phishing with reverse shell (bypass and hidden) RE-exploitation techniques (RID, Pstools, creating new users with high privileges) Enumeration of domain Pass The Hash (Sym, system dump) API [+] API [+] githubcom/arainho/awesome-api-security Types of reconnaissance activities

(Pre-)compromise operations for MITRE CALDERA

(Pre-)compromise operations for CALDERA Extend your CALDERA operations over the entire adversary killchain In contrast to MITRE's access plugin, caldera-precomp attempts to traverse the first phases of the killchain (reconnaissance, initial access, command and control) in an autonomous manner Even more so than post-compromise operation, the (pre-)compromise domain is ful

CVE-2021-34473 Microsoft Exchange Server Remote Code Execution Vulnerability

ProxyShell (CVE-2021-34473) CVE-2021-34473 Microsoft Exchange Server Remote Code Execution Vulnerability This faulty URL normalization lets us access an arbitrary backend URL while running as the Exchange Server machine account Although this bug is not as powerful as the SSRF in ProxyLogon, and we could manipulate only the path part of the URL, it’s still powerful enoug

ProxyShell-POC-Mod A Proof of Concept for ProxyShell (CVE-2021-34473, CVE-2021-34523, CVE-2021-31207) vulnerability This exploit code is a merge of two POC They both had pros & cons; So I merged them Credits to @donnymaasland (githubcom/dmaasland/proxyshell-poc) & @ber_m1ng (githubcom/ktecv2000/ProxyShell) Motivation I used both the above PO

Exbyte: BlackByte Ransomware Attackers Deploy New Exfiltration Tool

Symantec Threat Intelligence Blog • Threat Hunter Team • 21 Oct 2024

Exbyte is the latest tool developed by ransomware attackers to expedite data theft from victims.

Posted: 21 Oct, 20228 Min ReadThreat Intelligence SubscribeFollowtwitterlinkedinExbyte: BlackByte Ransomware Attackers Deploy New Exfiltration ToolExbyte is the latest tool developed by ransomware attackers to expedite data theft from victims.Symantec’s Threat Hunter Team has discovered that at least one affiliate of the BlackByte ransomware (Ransom.Blackbyte) operation has begun using a custom data exfiltration tool during their attacks. The malware (...

Symantec Threat Intelligence Blog • Karthikeyan C Kasiviswanathan Vishal Kamble • 28 Apr 2024

Latest tools, tactics, and procedures being used by the Hive, Conti, and AvosLocker ransomware operations.

Posted: 28 Apr, 20228 Min ReadThreat Intelligence SubscribeFollowtwitterlinkedinRansomware: How Attackers are Breaching Corporate NetworksLatest tools, tactics, and procedures being used by the Hive, Conti, and AvosLocker ransomware operations.Targeted ransomware attacks continue to be one of the most critical cyber risks facing organizations of all sizes. The tactics used by ransomware attackers are continually evolving, but by identifying the most freq...

Securelist • Alexander Kirichenko • 11 Sep 2023

Introduction Knowledge is our best weapon in the fight against cybercrime. An understanding of how various gangs operate and what tools they use helps build competent defenses and investigate incidents. This report takes a close look at the history of the Cuba group, and their attack tactics, techniques and procedures. We hope this article will help you to stay one step ahead of threats like this one. Cuba ransomware gang Cuba data leak site The group’s offensives first got on our radar in lat...

Securelist • Vitaly Morgunov • 19 Dec 2022

Summary At the end of September, GTSC reported an attack on critical infrastructure that took place in August. During the investigation, experts found that two 0-day vulnerabilities in Microsoft Exchange Server were used in the attack. The first one, later identified as CVE-2022-41040, is a server-side request forgery (SSRF) vulnerability that allows an authenticated attacker to remotely trigger the next vulnerability – CVE-2022-41082. The second vulnerability, in turn, allows remote code exec...

The Register • Chris Williams, Editor in Chief • 12 Aug 2021

Get our weekly newsletter Plus: eBPF Foundation emerges, Exchange severs probed for ProxyShell holes, and more

In brief If your Git operations start failing on Friday, August 13 with GitHub, it may well be because you're still using password authentication – and you need to change that. In December, the source-code-hosting giant warned it will end password-based authentication for Git pushes and the like. From 1600 UTC (1700 BST, 0900 PST) on Friday, that shutdown will come into effect. As such, you'll need to use authentication tokens to complete your Git operations with GitHub. "As previously announc...

The Register • Iain Thomson in San Francisco • 14 Jul 2021

Four flaws already being abused in the wild to compromise victims

Microsoft released an XL-sized bundle of security fixes for its products for this month's Patch Tuesday, and other vendors are close behind in issuing updates. The Windows goliath's batch for July has 117 patches, 13 for what's said to be critical bugs, 103 important, and one moderate. Normally, we'd encourage you to install these updates, testing them as appropriate prior to deployment, before miscreants develop exploits for them. However, four of these holes are already being exploited in the ...

The Register • Jessica Lyons Hardcastle • 01 Jan 1970

Topics Security Off-Prem On-Prem Software Offbeat Vendor Voice Vendor Voice Resources Malicious cyber actors go after 2021's biggest misses, spend less time on the classics

Security flaws in Log4j, Microsoft Exchange, and Atlassian's workspace collaboration software were among the bugs most frequently exploited by "malicious cyber actors" in 2021 , according to a joint advisory by the Five Eyes nations' cybersecurity and law enforcement agencies. It's worth noting that 11 of the 15 flaws on the list were disclosed in 2021, as previous years' lists often found miscreants exploiting the older vulns for which patches had been available for years. Of course, the US Cyb...

The Register • Jeff Burt • 01 Jan 1970

Get our weekly newsletter Threat actor exploited known vulnerabilities in the Microsoft software to compromise multiple systems

An affiliate of the aggressive Hive ransomware group is exploiting known vulnerabilities in Microsoft Exchange servers to encrypt and exfiltrate data and threaten to publicly disclose the information if the ransom isn't paid. In a recent attack on an unnamed organization, the Hive affiliate rapidly compromised multiple devices and file servers by exploiting the ProxyShell vulnerabilities in Exchange servers, encrypting the data within 72 hours of the start of the attack, threat hunters with data...

The Register

Topics Security Off-Prem On-Prem Software Offbeat Vendor Voice Vendor Voice Resources Now that's sticker shock

Internet snoops has been caught concealing spyware in an old Windows logo in an attack on governments in the Middle East. The Witchetty gang used steganography to stash backdoor Windows malware, dubbed Backdoor.Stegmap, in the bitmap image. "Although rarely used by attackers, if successfully executed, steganography can be leveraged to disguise malicious code in seemingly innocuous-looking image files," researchers at Symantec's Threat Hunter Team wrote this week. "Disguising the payload in this ...

The Register

Topics Security Off-Prem On-Prem Software Offbeat Vendor Voice Vendor Voice Resources Now that's sticker shock

Internet snoops have been caught concealing spyware in an old Windows logo in an attack on governments in the Middle East. The Witchetty gang used steganography to stash backdoor Windows malware – dubbed Backdoor.Stegmap – in the bitmap image. "Although rarely used by attackers, if successfully executed, steganography can be leveraged to disguise malicious code in seemingly innocuous-looking image files," researchers at Symantec's Threat Hunter Team wrote this week. "Disguising the payload i...

Get Started

CVE-2021-34473

Vulnerability Summary

Vulnerability Trend

Exploits

Github Repositories

Recent Articles

References

Vulmon Search

About

Products

Connect