A troubling new vulnerability affecting Microsoft Exchange email servers has been disclosed by researchers, though details are still emerging on the severity and exploitability of the flaw.
The vulnerability, disclosed by researchers at cybersecurity vendor GTSC, could enable remote execution of commands on a compromised server, according to the company. It appears to be a "zero-day" vulnerability, which means it was not disclosed to the software vendor before spreading in the wild and before a patch could be created.
Trend Micro said Thursday that the vulnerability was submitted to Microsoft via its Zero Day Initiative program. On Friday, Microsoft said it’s “working on an accelerated timeline” to provide a patch for two newly disclosed vulnerabilities affecting Exchange email servers, including the remote code execution flaw disclosed by GTSC.
Researcher Kevin Beaumont, who was among the first to discuss GTSC's findings in a series of tweets Thursday, said he is aware of the vulnerability being "actively exploited in the wild" and that he "can confirm significant numbers of Exchange servers have been backdoored."
Remote code execution vulnerabilities are considered a serious security risk due to the potential for attackers to take full control of a compromised system. Log4Shell, a critical vulnerability that was discovered in the Apache Log4j logging software component in December 2021, fell into the category of a remote code execution flaw.
Travis Smith, vice president of malware threat research at cybersecurity vendor Qualys, told Protocol that he expects exploitation of the vulnerability to escalate in the next few days. Exchange servers must be connected directly to the internet and are a key function for many businesses since email can't be turned off without causing a major disruption, Smith noted. For those reasons, Exchange "is a juicy target for threat actors to exploit," he said in an email.
On Thursday, the initial reaction among security researchers was that it wasn't clear from GTSC's original disclosure whether this was in fact a brand-new, zero-day vulnerability in Microsoft Exchange, or if it might just be a new version of a previously disclosed vulnerability known as "ProxyShell." Beaumont noted in a blog post that a key portion of the exploit process detailed by the vendor "looks exactly like ProxyShell," which was disclosed in 2021.
However, GTSC subsequently updated its blog post, making it clear that the vulnerability affected Exchange servers that had already been patched with the latest updates. As a result, "an exploitation using Proxyshell vulnerability was impossible," the researchers said in the blog post update.
John Hammond, a well-known researcher at cybersecurity vendor Huntress, tweeted that the update makes clear that this "is in fact a new 0-day" remote code execution vulnerability.
Mike Parkin, a senior technical engineer at Vulcan Cyber, told Protocol that he had reached the same conclusion.
The fact that the compromised system was up to date before it was breached "indicates the attack leveraged a new vulnerability, not the one that was previously known," Parkin said in an email. Still, GTSC "hasn't released many details, so we are having to extrapolate from what they have said," he said.
Correction: This story was updated on Sept. 29, 2022, to correct the description of ProxyShell.