Proxylogon Vulnerabilities – Summary

Technical Advice

The vulnerabilities described on this and the following pages are known as the Proxylogon vulnerabilities of the on-premises Microsoft Exchange email server. If you have a Microsoft Exchange email server on-site (rather than in the ‘cloud’ through Microsoft 365) you may be at risk of these vulnerabilities.

While this is a collection of four vulnerabilities, the highest risk vulnerability has been independently scored as posing a critical risk to most organisations.

The Operation Configured team have contacted you because research indicates that your organisation or an organisation your ICT team supports may have this vulnerability and it is exposed to the public internet. While it is possible that this information is incorrect because of the method of vulnerability identification employed by the Operation , it is important you establish for yourself whether the organisation is vulnerable. If you establish that the systems are vulnerable, there is an increased risk they will fall victim to a potentially devastating criminal cyber attack as a result.

There is another, non-technical summary of this vulnerability available for managers and decision makers. You will need to support them in making choices about how to approach this situation.

IMPORTANT: While SEROCU are notifying organisations of this vulnerability, Officers from the team will NOT be asking for any information or other details. They will only be providing information. Any unsolicited contact claiming to be from the Police should always be treated with caution. For more information read about Verifying Authenticity.

About this Vulnerability

In 2021 researchers detected the exploitation of four technical vulnerabilities being used to attack on-premises versions of the Microsoft Exchange Server in limited and targeted attacks. Microsoft Exchange is predominantly an email server, but does provide some other functionality.

In the attacks observed, the criminals, often referred to as ‘threat actors’, used these vulnerabilities to access on-premises Exchange servers which enabled access to email accounts. The criminals could also further exploit the server in a way which allowed them to install additional malicious software (‘malware’) to facilitate long-term access to the networks and systems of their victims.

The Common Vulnerabilities and Exposures (CVE) reference for this vulnerability are:

  • CVE-2021-26855
  • CVE-2021-26857
  • CVE-2021-26858
  • CVE-2021-27065

Research conducted around these CVE’s shows that :

  • they are remotely exploitable over the internet
  • the complexity required to exploit is low (meaning a relatively unskilled attacker can achieve this)
  • no privileges are required to exploit

If these CVE’s are exploited, it can risk the complete loss of confidentiality and integrity of the server. This could result in all of the resources being disclosed to an attacker and presents a direct serious impact to an organisation’s network.

It is possible for an attacker to also modify any or all files, so any malicious modification would present a critical threat.

The Risk this Vulnerability poses

There are significant risks should you choose to ignore or accept these vulnerabilities remaining in your system. Criminals are known to be actively scanning for vulnerable Exchange email servers and using them to attack organisations. Consequences may include, but are not limited to:

  • Theft of data
  • Corruption of backups
  • Using the compromised system to attack others, damaging the organisational reputation
  • Ransomware attack against systems
  • Fines from regulators such as the Information Commissioner’s Office (ICO)
  • The organisation ceasing operations because of system failure, reputational damage or financial losses

Examples of Exploitation of this Vulnerability

Thousands of organisations have fallen victim to the exploitation of the Proxylogon group of vulnerabilities and it made headlines – BBC: Microsoft Hack: 3,000 UK email servers remain unsecured. A number of organisations, such as the European Banking Authority, have admitted they have been victims.

Next Steps

The next steps for the organisation should be to:

  1. Verify the presence of this vulnerability in the organisation; if so:
  2. Establish if this vulnerability has already been exploited on the organisation’s systems
  3. Work with management to establish the degree of threat, potential harm and risk posed to the organisation
  4. Isolate and mitigate the risk as soon as possible
  5. Establish a plan to resolve this vulnerability and eliminate the risk
  6. Plan to improve the organisation’s cybersecurity for the future

For more information:

What to do Next