URGENT: Zero-Day Exploit in Exchange Server, CVE-2021-26857, CVE-2021-26858, and CVE-2021-27065

Red skull email displaying on a laptop screen

Mar 5, 2021 by Leah Weisman

There is a zero-day exploit in the wild that allows bad actors to obtain full control over an Exchange server, which then gives access to other internal resources. Microsoft released a patch for this on March 2, 2021.

Exchange Server 2010, 2013, 2016 and 2019 are all affected. Exchange Online is not affected, however, many organizations still have a hybrid environment set up.

Please note that to install the patches in question, your Exchange server may need an Exchange Cumulative Update installed first.

Microsoft, the U.S. government and Mirazon all urge you to apply these patches right away.

We also noticed that auto-forwarding may get disabled by this patch, probably on purpose on Microsoft’s part.

If any user has a rule in their Outlook or Exchange to auto-forward email to an external account, it may be disabled after this week’s patches. This also applies to hybrid environments with Office 365 mailboxes. The auto-forwarding email will receive an NDR -(NonDelivery Receipt) so you will know the auto-forwarding is disabled.

We typically don’t recommend auto-forwarding anyway, as that is a liability. It is an easy way to lose control of corporate data. It is also a common method used by hackers to access email. If an account is compromised, typically the first thing the bad actor will do is set up rules in Outlook to automatically move email to other folders or to auto-forward, so unsuspecting users won’t see certain emails. It’s also common for users to assume that since they changed their password the account is no longer compromised, not realizing email is still auto-forwarding to an outside malicious party.

Resources

Cybersecurity and Infrastructure Security Agency

Petri

Microsoft Techcommunity

Security updates are available for the following specific versions of Exchange:

If you need help patching your Exchange server, we can help. Send us an email at info@mirazon.com or call us at 502-240-0404!

Press enter to search