New Microsoft Exchange Vulnerability Disclosed

Etay Maor
March 8, 2021

Several new CVEs targeting MS Exchange servers have been discovered and shared by Microsoft. Attacks using these CVEs include manipulation of domain admin accounts, deployment of a web shell and exfiltration of data.

Cato Networks security team has already developed and deployed the proper defenses for this new threat.

Earlier this week Microsoft disclosed a set of new 0-day CVEs (CVE-2021-26855, CVE-2021-26858, CVE-2021-26857, CVE-2021-27065) which were (and still are) used by the HALFIUM group to target Microsoft Exchange servers. These vulnerabilities were used by the attackers to create files and web shells using privileged users accounts which gave the attackers persistent access to the vulnerable servers as well as RCE (Remote Code Execution) capabilities and data exfiltration. According to available forensics and security investigations the affected entities were mainly US government entities and retailers.

As part of our research on new and emerging threats, Cato Networks researchers have found evidence of attackers (not necessarily the HALFIUM group) running a script to scan for vulnerable servers.

A code snippet from the scanning script

A code snippet from the scanning script


Additional Reading:
Microsoft official release:


Etay Maor

Etay Maor is the Senior Director of Security Strategy at Cato Networks and an industry-recognized cybersecurity researcher. Previously, Etay was the Chief Security Officer for IntSights, where he led strategic cybersecurity research and security services. Etay has also held senior security positions at IBM, where he created and led breach response training and security research, and RSA Security’s Cyber Threats Research Labs, where he managed malware research and intelligence teams. Etay is an adjunct professor at Boston College and is part of Call for Paper (CFP) committees for the RSA Conference and QuBits Conference. He holds a BA in Computer Science and a MA in Counter-Terrorism and Cyber-Terrorism.