|Remote Code Execution (RCE Vulnerability)
|Windows Server 2019/2016/2013
- CVE-2021-31206 is an unauthenticated RCE vulnerability targeting MS Exchange servers that enable attackers to compromise Internet-facing instances.
- The zero-day vulnerability is being actively exploited by threat actors to target Windows users.
- This vulnerability can be exploited to run arbitrary code in the target system. However, it requires an authenticated user, in a specific exchange role, to be compromised.
- CVE-2021-31206 is a flaw in the parsing of archive-file format for Microsoft Windows or CAB(Cabinet) files.
- When handling filenames specified within a CAB file, the process does not properly validate a user-supplied path prior to using it in file operations.
- An attacker can leverage this, in conjunction with other vulnerabilities, to execute arbitrary code in the context of SYSTEM.
|2013/ CU23/2016 CU20/2016 CU21/2019 CU10
Information from Cybercrime ForumsCloudSEK’s Threat Intelligence Research team has observed that the exploit code for this vulnerability is available with multiple threat actors and is being actively exploited by following threat groups:
- Ransomware Operators
- Advanced Persistent Threats
- Access Brokers
Impact & Mitigation
- RCE vulnerabilities allow attackers to execute commands and gain control over victims' systems.
- Attackers can use RCE in vulnerable Exchange servers to get initial access to internal networks.
- Attackers can then laterally move across internal networks to further the attack by deploying ransomware or by exfiltrating critical information.
MitigationPatches for various Microsoft Exchange product versions were released on 13 July 2021:
|Microsoft Exchange Server 2019 Cumulative Update 10
|Microsoft Exchange Server 2016 Cumulative Update 21
|Microsoft Exchange Server 2013 Cumulative Update 23
|Microsoft Exchange Server 2016 Cumulative Update 20
|Microsoft Exchange Server 2019 Cumulative Update 9