CVE-2021-34473:

Microsoft Exchange Server Remote Code Execution Vulnerability (ProxyShell)

Score
A numerical rating that indicates how dangerous this vulnerability is.

9.8Critical

Published Date:Jul 14, 2021
CISA KEV Date:Nov 3, 2021
Industries Affected:20

Armis Early Warning:

112 Days

Threat Predictions

EPSS Score:94.3
EPSS Percentile:100%

Exploitability

Score:3.9
Attack Vector:NETWORK
Attack Complexity:LOW
Privileges Required:NONE
User Interaction:NONE
Scope:UNCHANGED

Impact

Score:5.9
Confidentiality Impact:HIGH
Integrity Impact:HIGH
Availability Impact:HIGH

Description Preview

Microsoft Exchange Server Remote Code Execution Vulnerability (ProxyShell)

Overview

This vulnerability (CVE-2021-34473) is one of three vulnerabilities that comprise the ProxyShell exploit chain (along with CVE-2021-34523 and CVE-2021-31207). When exploited, it allows attackers to bypass pre-authentication access control and impersonate arbitrary users on the Exchange server. The vulnerability affects Microsoft Exchange Server 2013, 2016, and 2019. The root cause is improper validation of URL paths in the Exchange PowerShell backend, which enables server-side request forgery (SSRF) attacks. This vulnerability has a CVSS base score of 9.8 (Critical) and has been actively exploited in the wild since its disclosure.

Remediation

1. Apply the July 2021 security updates for Microsoft Exchange Server immediately.
2. If you cannot update immediately, implement URL Rewrite mitigation as a temporary measure.
3. Monitor for indicators of compromise, including unusual PowerShell commands or web shell deployments.
4. Implement network segmentation to limit access to Exchange servers.
5. Enable Extended Protection for Authentication on all Exchange servers.
6. Ensure all Exchange servers are properly configured with the latest security recommendations from Microsoft.
7. Consider implementing additional security controls such as a web application firewall configured to detect and block exploitation attempts.