Beware: Microsoft Exchange zero-day actively exploited in the wild


The unpatched vulnerability allows carrying out remote code execution (RCE) attacks on affected systems.

Threat actors are actively exploiting a previously undisclosed security flaw in fully patched Microsoft exchange servers, researchers at cybersecurity firm GTSC have warned.

“The vulnerability turns out to be so critical that it allows the attacker to do RCE on the compromised system,” researchers said in a blog post.

ADVERTISEMENT

Researchers detected exploit requests on a client’s system and, after checking the log, discovered that attackers were able to execute commands on the attacked system.

Threat actors used the Microsoft Exchange bug to drop obfuscated webshells on Exchange servers. According to the GTSC, attackers prefer using Antsword, an active Chinese-based open-source, cross-platform website administration tool.

“We suspect that these come from a Chinese attack group because the webshell codepage is 936, which is a Microsoft character encoding for simplified Chinese,” reads the blog post.

Researchers submitted the vulnerability to the Zero Day Initiative (ZDI), where the two bugs were verified and acknowledged with respective Common Vulnerability Scoring System (CVSS) scores of 8.8 and 6.3.

Security researcher Kevin Beaumont looked into the GTCS‘s findings and confirmed that attacks have been happening on Exchange Servers, matching an attack path GTCS outlined in their blog.

“I can’t say for sure it’s a zero-day, with the information provided — it looks more ProxyShell to me,” Beaumont said in a blog post.

GTCS recommends organizations using Microsoft Exchange Servers to review and apply temporary remedies outlined in the research disclosing the vulnerability.

ADVERTISEMENT

Microsoft's investigating the bugs

In reaction to the news about the zero-day flaw, Microsoft released a customer guidance. The company claims that it is investigating reported zero-day vulnerabilities. However, the company acknowledged attacks are being carried out using the vulnerabilities.

“At this time, Microsoft is aware of limited targeted attacks using the two vulnerabilities to get into users’ systems. [...] It should be noted that authenticated access to the vulnerable Exchange Server is necessary to successfully exploit either of the two vulnerabilities, ” the company said.

Microsoft said the company is working on a fix and offered users mitigation and detection guidelines to help customers protect against attacks. Further details can be found on Microsoft's Security Response Center.