Microsoft Exchange Zero-Day Vulnerabilities Exploited in the Wild

Share :

Executive Summary

On Tuesday, 2 March, Microsoft released an out-of-band patch to address multiple remote code execution (RCE) vulnerabilities in Microsoft Exchange. Four of these vulnerabilities are connected to attacks by a nation-state threat group known as HAFNIUM, dating back to at least January 6, 2021. HAFNIUM chained together several of these vulnerabilities to exploit vulnerable Exchange Servers in their attacks to access full mailboxes of interest.

The four vulnerabilities exploited in these attacks (CVE-2021-26855, CVE-2021-26857, CVE-2021-26858, and CVE-2021-27065) affect on-prem deployments of Microsoft Exchange 2013, 2016, and 2019.

Arctic Wolf is actively updating detections against these vulnerabilities, which include IOCs and TTPs shared by Microsoft, and will continually monitor customer environments for indicators of attack.



  • A server-side request forgery (SSRF) vulnerability in Exchange allows an attacker to send arbitrary HTTP requests and authenticate as the Exchange server.


  • An insecure deserialisation vulnerability in the Unified Messaging service.
  • Exploiting this vulnerability can allow an attacker to run code as SYSTEM on the Exchange server.
  • This vulnerability requires administrator privileges or another vulnerability to exploit. Microsoft has observed HAFNIUM chain CVE-2021-26855 linked with this one to authenticate with elevated privileges.

CVE-2021-26858 & CVE-2021-27065

  • These two are post-authentication arbitrary file write vulnerabilities in Exchange.
  • If an attacker can authenticate with the Exchange server, then they can use one of these vulnerabilities to write a file to any path on the server. Microsoft observed HAFNIUM chain CVE-2021-26855 linked with this one to authenticate with elevated privileges.

Who is the HAFNIUM threat group?

  • Microsoft has assessed HAFNIUM as a state-sponsored threat group operating out of China based on observed victimology, tactics, and procedures.
  • According to Microsoft, HAFNIUM primarily targets U.S. entities across a number of industry sectors, including infectious disease researchers, law firms, higher education institutions, defense contractors, policy think tanks, and NGOs.
Adrian Korn

Adrian Korn

Adrian Korn is a seasoned cyber security professional with 7+ years' experience in cyber threat intelligence, threat detection, and security operations. He currently serves as the Manager of Threat Intelligence Research at Arctic Wolf Labs. Adrian has been a guest speaker on intelligence related topics at numerous conferences around the world, including DEF CON's Recon Village, Hackfest, and the Australian OSINT Symposium.
Share :
Table of Contents