Microsoft has released emergency out-of-band security updates to plug 7 Exchange Server vulnerabilities, 4 of which are Zero-day flaws being actively exploited in the wild.
The four zero-day flaws (CVE-2021-26857, CVE-2021-26858, CVE-2021-26855, and CVE-2021-27065) are actively being exploited by attackers to plunder e-mail communications from organizations that have Microsoft Exchange Server software installations within their network.
Microsoft stated that an unknown Chinese group named 'Hafnium' is using these flaws since they are known for their attacks against US-based companies.
Actively Exploited Zero-day Vulnerabilities
This vulnerability is a Server-Side Request Forgery (SSRF). This means that an attacker with no access at all could exploit this flaw because the on-premises Exchange Server runs a command that it normally shouldn't be permitted to run.
CVE-2021-26857 is a Remote Code Execution vulnerability (also known as insecure deserialization) that can be found in the Exchange Unified Messaging Service. It's part of a larger attack chain (the four zero-day vulnerabilities) in which this RCE vulnerability would give the attacker arbitrary code execution privileges.
This is one of the two arbitrary file-write vulnerabilities present in Microsoft Exchange. Because we are talking about a chained attack, the attackers could use CVE-2021-26855 to obtain admin credentials in order to arbitrarily write to every file on the vulnerable Exchange server.
This is the second arbitrary file. Bot (CVE-2021-26858 & CVE-2021-27065) vulnerabilities need authentication before they could be exploited, that's where the SSRF vulnerability comes into play.
Exchange Server Vulnerability Patch
Microsoft just released four fixes for this vulnerability which can be found on our April 2021 Patch Tuesday blog.