CRITICAL REMOTE CODE EXECUTION FLAWS IN MICROSOFT EXCHANGE ARE BEING ACTIVELY EXPLOITED

March 5, 2021

The SonicWall Capture Labs Threat Research team has received reports that threat actors are actively exploiting the following Microsoft Exchange vulnerabilities:

CVE-2021-26855
CVE-2021-26857
CVE-2021-26858
CVE-2021-27065

These vulnerabilities allow the attackers access to emails found in the Exchange Servers, which could include sensitive or personal data.

Affected Products:

Microsoft Exchange Server 2013, 2016 and 2019 are affected by these vulnerabilities. Users should apply the updates as soon as possible. Microsoft has also released a "Defense in Depth" update for Exchange Server 2010.

On March 2, 2021, SonicWall Capture Labs Threat Research team released the following signatures to protect against such attacks:

IPS: 15418 WEB-ATTACKS Microsoft Exchange Server Remote Code Execution (CVE-2021-26857)
IPS: 15419 WEB-ATTACKS Microsoft Exchange Server Remote Code Execution ( CVE-2021-26855) 1
IPS: 15420 WEB-ATTACKS Microsoft Exchange Server Remote Code Execution ( CVE-2021-26855) 2
IPS: 15421 WEB-ATTACKS Microsoft Exchange Server Remote Code Execution 1

It is also recommended that DPI-SSL be enabled. The following articles describe how to configure DPI-SSL:
https://www.sonicwall.com/support/knowledge-base/how-can-i-configure-client-dpi-ssl/170505885674291/
https://www.sonicwall.com/support/knowledge-base/how-to-configure-server-dpi-ssl/170505900099021/