Executive Summary

• CVE-2021-31206 is an unauthenticated RCE vulnerability targeting MS Exchange servers that enable attackers to compromise Internet-facing instances.
• The zero-day vulnerability is being actively exploited by threat actors to target Windows users.
• This vulnerability can be exploited to run arbitrary code in the target system. However, it requires an authenticated user, in a specific exchange role, to be compromised.

Analysis

Technical Details

• CVE-2021-31206 is a flaw in the parsing of archive-file format for Microsoft Windows or CAB(Cabinet) files.
• When handling filenames specified within a CAB file, the process does not properly validate a user-supplied path prior to using it in file operations.
• An attacker can leverage this, in conjunction with other vulnerabilities, to execute arbitrary code in the context of SYSTEM.

Affected Platforms

Information from Cybercrime Forums

• Ransomware Operators
• Advanced Persistent Threats
• Access Brokers 

Impact & Mitigation

Impact

• RCE vulnerabilities allow attackers to execute commands and gain control over victims' systems. 
• Attackers can use RCE in vulnerable Exchange servers to get initial access to internal networks. 
• Attackers can then laterally move across internal networks to further the attack by deploying ransomware or by exfiltrating critical information. 

Mitigation