News and events Own Your Online External Link Report an incident
News and events Own Your Online External Link
  1. Welcome to CERT NZ
  2. Advisories
  3. Active scanning for Microsoft Exchange Proxyshell vulnerability

Active scanning for Microsoft Exchange Proxyshell vulnerability

Our advisories highlight current cyber security threats and vulnerabilities in New Zealand, and provide guidance on how to mitigate their impact.

Subscribe to our updates to be notified as soon as we publish an advisory.

4:45pm, 8 August 2021

TLP Rating: Clear

Active scanning for Microsoft Exchange Proxyshell vulnerability

CERT NZ is aware of reports that attackers are scanning and attempting exploitation for Microsoft Exchange servers vulnerable to Proxyshell – a chain consisting of three previously patched vulnerabilities in Microsoft Exchange server.

The three vulnerabilities are:
1. CVE-2021-34473
2. CVE-2021-34523 – both had security updates released in April 2021, and
3. CVE-2021-31207, which had a security update released in May 2021.

Together this chain of vulnerabilities allows an unauthenticated attacker to remotely execute arbitrary commands as SYSTEM.

CERT NZ recommends that organisations immediately make sure their servers have the most recent security updates applied.

What's happening

Systems affected

The following systems are affected by these vulnerabilities if they have not been updated to the May 2021 Cumulative Update package. (KB5003435):

  • Microsoft Exchange Server 2013
  • Microsoft Exchange Server 2016
  • Microsoft Exchange Server 2019

What this means

Successful exploitation of these vulnerabilities would allow a remote attacker to execute commands on the Exchange server as SYSTEM. This allows for complete control of the Exchange server, and may allow access to other systems in the network.

What to look for

How to tell if you're at risk

Your organisation is at risk if you run a Microsoft Exchange server and haven’t updated to the May 2021 Cumulative Update package (KB5003435).

How to tell if you're affected

Check your Exchange Server’s IIS logs for access to the /autodiscover/autodiscover.json URI path, that contains parameters including /mapi/nspi/

What to do

Prevention

CERT NZ recommends that you update your Microsoft Exchange server to the latest security release immediately. See the Microsoft support article below to determine the correct updates for your Exchange server.

More information

Microsoft support article with instructions for applying updates External Link

Microsoft Security Centre (MSRC) advisory about CVE-2021-34473 External Link

MSRC advisory about CVE-2021-34523 External Link

MSRC advisory about CVE-2021-31207 External Link

If you require more information or further support, submit a report on our website or contact us on 0800 CERTNZ.

Report an incident to CERT NZ

For media enquiries, email our media desk at certmedia@cert.govt.nz or call on 021 854 384