NopSec.com uses cookies to make interactions with the Company’s Websites easy and meaningful. When you visit one of the Company’s Websites, NopSec.com’s servers send a cookie to your computer. Standing alone, cookies do not personally identify you; they merely recognize your Web browser. Unless you choose to identify yourself to NopSec.com, either by responding to a promotional offer, opening an account, or filling out a Web form (such as a “Contact Us” or a “Free Trial” Web form), you remain anonymous to the Company. Please go to our privacy statement for details.

Acknowledge

Just in Time Bulletin: CVE-2021-28480 Four More Zero-day Vulnerabilities in Microsoft Exchange Server

Sep 02, 2021

We have covered the 4 zero-day vulnerabilities in the Microsoft Exchange Server back in March 3rd, 2021

There are additional Four more zero-day vulnerabilities – CVE-2021-28480, CVE-2021-28481, CVE-2021-28482 and CVE-2021-28483 – in Microsoft Exchange servers have been used in attacks in the wild.

What are CVE-2021-28480, CVE-2021-28481, CVE-2021-28482, and CVE-2021-28483? 

CVE-2021-28480 and CVE-2021-28481 are pre-authentication vulnerabilities in Microsoft Exchange Server. A pre-authentication vulnerability means that an attacker does not need to authenticate to the vulnerable Exchange Server in order to exploit the vulnerability. All the attacker needs to do is perform reconnaissance against their intended targets and then send specially crafted requests to the vulnerable Exchange Server.

CVE-2021-28482 and CVE-2021-28483 are post-authentication vulnerabilities in Microsoft Exchange Server. These are only exploitable once an attacker has authenticated to a vulnerable Exchange Server. However, these flaws could be chained together with a pre-authentication Exchange Server vulnerability to bypass that requirement. 

How bad is this? 

CVE CVSSv3 Score
CVE-2021-28480 9.8
CVE-2021-28481 9.8
CVE-2021-28482 8.8
CVE-2021-28483 9.0

Active exploitation today: Exploited in the wild

Severity: Critical

  • credentials not required
  • authentication bypass
  • results in Exchange controller compromise

Who is affected by this? 

All 4 vulnerabilities – CVE-2021-28480, CVE-2021-28481, CVE-2021-28482, and CVE-2021-28483 –  effects below 5 servers:

  • Microsoft Exchange Server 2019 Cumulative Update 9
  • Microsoft Exchange Server 2019 Cumulative Update 8
  • Microsoft Exchange Server 2016 Cumulative Update 20
  • Microsoft Exchange Server 2016 Cumulative Update 19
  • Microsoft Exchange Server 2013 Cumulative Update 23

How are they exploited? 

Please review the Microsoft Security Advisory for the exploitation details. 

How do I protect myself? 

Microsoft has released patches to address all 4 vulnerabilities and they emphasize the critical nature of these vulnerabilities and the importance of patching all affected systems immediately to protect against these exploits and prevent future abuse across the ecosystem. 

NopSec strongly encourages organizations to apply these patches as soon as possible.

Additional Resources: