Connect with us

Hi, what are you looking for?


Management & Strategy

Microsoft Issues Guidance on ProxyShell Vulnerabilities

Microsoft on Wednesday warned Exchange customers that their deployments are exposed to attacks exploiting the ProxyShell vulnerabilities, unless the adequate patches have been installed.

Microsoft on Wednesday warned Exchange customers that their deployments are exposed to attacks exploiting the ProxyShell vulnerabilities, unless the adequate patches have been installed.

The ProxyShell bugs, which are tracked as CVE-2021-34473, CVE-2021-34523, and CVE-2021-31207, can be chained to run arbitrary code without authentication. The first two bugs were patched in April, while the third received a fix in May.

Researchers with security consulting firm DEVCORE exploited the security holes at the 2021 Pwn2Own hacking contest, but technical details were made public only a few weeks ago, at the Black Hat and DEF CON cybersecurity conferences.

Soon after, the first scans for vulnerable Exchange servers commenced, and the first attacks targeting the exposed servers – over 30,000 of them – were also observed.

Last week, security researchers identified more than 1,900 unpatched systems that were compromised, and the U.S. Cybersecurity and Infrastructure Security Agency (CISA) issued an alert on attacks targeting Exchange servers affected by the ProxyShell flaws.

In a blog post on Wednesday, Microsoft underlined the importance of installing patches in a timely manner, noting that only systems without the already issued fixes are susceptible to compromise.

“This past week, security researchers discussed several ProxyShell vulnerabilities, including those which might be exploited on unpatched Exchange servers to deploy ransomware or conduct other post-exploitation activities. If you have installed the May 2021 security updates or the July 2021 security updates on your Exchange servers, then you are protected from these vulnerabilities,” the tech giant notes.

Advertisement. Scroll to continue reading.

Systems without either security updates, the company says, are vulnerable to attacks. Furthermore, the company pointed out, Exchange servers should always be kept updated with the latest available Cumulative Update (CU) and Security Update (SU).

Vulnerable Exchange servers, Microsoft notes, are those running older, unsupported CUs, those running SUs for older, unsupported versions of Exchange released in March 2021, or those running older, unsupported CUs that have the March 2021 mitigations applied.

“In all of the above scenarios, you must install one of the latest supported CUs and all applicable SUs to be protected. Any Exchange servers that are not on a supported CU and the latest available SU are vulnerable to ProxyShell and other attacks that leverage older vulnerabilities,” the company says.

The tech giant recommends that all customers install the latest set of updates on their Exchange servers, which would ensure they are protected from any compromise attempts.

Over the weekend, similar patching recommendations were issued by Rob Joyce, director of cybersecurity at the NSA, who pointed out that the number of attacks targeting Exchange servers is surging.

Related: PetitPotam Vulnerability Exploited in Ransomware Attacks

Related: Over 80,000 Exchange Servers Still Affected by Actively Exploited Vulnerabilities

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.


Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.


Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

CISO Strategy

SecurityWeek spoke with more than 300 cybersecurity experts to see what is bubbling beneath the surface, and examine how those evolving threats will present...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...

Management & Strategy

SecurityWeek examines how a layoff-induced influx of experienced professionals into the job seeker market is affecting or might affect, the skills gap and recruitment...

CISO Conversations

In this issue of CISO Conversations we talk to two CISOs about solving the CISO/CIO conflict by combining the roles under one person.


The latest Chrome update brings patches for eight vulnerabilities, including seven reported by external researchers.