Microsoft Exchange Server Hack – What You Need to Know

Microsoft Exchange Server Hack – What You Need to Know

Over 30,000 organizations across the United States are the victim of a hacking scheme involving a state-sponsored group from China. This aggressive espionage group focused on taking advantage of four zero-day vulnerabilities to exploit within Microsoft Exchange Server. These vulnerabilities include a server-side request forgery, insecure deserialization, and two arbitrary file write vulnerabilities located in Microsoft Exchange.

These vulnerabilities impact any company using the software version of the Microsoft Exchange Server. However, Microsoft Exchange Online isn't impacted by these security vulnerabilities.

The state-sponsored group is also known as "Hafnium," as it's often targeted various institutions in the United States, such as law firms, defense contractors, think tanks, non-governmental organizations, and infectious disease researchers.

Here is an overview of the vulnerabilities.


CVE-2021-26855 is a server-side request forgery vulnerability that's found in Microsoft Exchange Server. A remote hacker can exploit this flaw by creating a specific HTTP request to the Exchanger Server. Successful exploitation of this vulnerability would enable the attacker to gain access to user mailboxes, as they only need to identify the IP address of an Exchange Server to access this information.


CVE-2021-26857 is another zero-day vulnerability threat involving insecure deserialization in Microsoft Exchange. The flaw happens within the Exchange Unified Messaging Service, as it allows voice mail functionality and other features. Successfully exploiting this vulnerability enables the hacker to gain code execution privileges.

CVE-2021-26858 and CVE-2021-27065

Both of these flaws involve post-authentication, which means an attacker needs to authenticate the Exchange Server before exploiting these vulnerabilities. A hacker can achieve this by gaining access to stolen admin credentials or exploiting CVE-2021-26855. Once authentication is complete, a hacker can easily access a vulnerable server.

These attackers are exploiting security flaws by deploying web shells on targeted computer systems to steal login credentials and confidential mailbox data. Intrusions have been detected since January 2021, as other threat actors are also leveraging these security flaws.

How to Keep Your Organization Protected

Downloading the latest patches to protect your business against these zero-day vulnerabilities is essential in keeping your data safe. Downloading and applying updates for Microsoft Exchange Server 2013, 2016, and 2019 is critical in protecting your emails and administrative access to your computer system.

Feel free to reach out to the NetWatchmen team if you have any questions or feel that your servers have been impacted due to these vulnerabilities.