No advisory? No PoC? No problem!
Since these CVEs were published (April 13, 2021), we’ve been looking for a detailed technical advisory – but it never came. No solid PoC exploit scripts surfaced either, so we took matters into our own hands.
Our team built a detection module that identifies Exchange servers vulnerable to the combination of pre-auth and post-auth vulnerabilities the NSA disclosed:
Bad actors love these because the first two vulns don’t even require authenticating to the exposed Exchange Server. All they have to do is to do thorough recon and send specially crafted requests to their target to get RCE.
If you’ve already dealt with ProxyLogon (for which we launched a dedicated scanner in March), know these security weaknesses have a similar operation model.