CVE-2021-34473

Vulnerability updated 6 months ago (2024-05-22T19:17:29.153Z)

Download STIX

Preview STIX

CVE-2021-34473 is a significant software vulnerability that was discovered in Microsoft Exchange Server. This flaw, along with two others (CVE-2021-31207 and CVE-2021-34523), forms a chain of vulnerabilities known as ProxyShell. These vulnerabilities can be exploited together by remote attackers to gain unauthorized access, take control of an unpatched server, and execute malicious activities. The exploitation of these vulnerabilities has been frequently reported, making them some of the most routinely exploited bugs, second only to the Fortinet SSL VPN vulnerability (CVE-2018-13379). Threat actors have effectively used the ProxyShell vulnerabilities to infiltrate victims' infrastructures. Specifically, they have leveraged these flaws to inject an info stealer into the Microsoft Exchange Server. The combination of these three vulnerabilities has been identified as one of the most common attack vectors targeting Microsoft Exchange servers. Notably, the ProxyShell vulnerabilities were among the most exploited vulnerabilities last year, following the Fortinet SSL VPN vulnerability. Several protective measures have been put in place to guard against these threats. For instance, Check Point IPS provides protection against this threat, including the Microsoft Exchange Server Security Feature Authentication Bypass (CVE-2021-31207) and the Microsoft Exchange Server Remote Code Execution (CVE-2021-34473). Despite these protective measures, various threat actors, including Cadet Blizzard, have continued to exploit these vulnerabilities, often alongside other flaws such as the Atlassian Confluence bug (CVE-2021-26084) and Log4Shell (CVE-2021-44228).

Description last updated: 2024-05-22T19:16:21.365Z

What's your take? (Question 1 of 5)

Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.

Possible Aliases / Cluster overlaps

It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at. Create a free account to see the source evidence for each alias, and help fix any errors.

Alias Description	Votes
Proxyshell is a possible alias for CVE-2021-34473. ProxyShell is a vulnerability that affects Microsoft Exchange email servers, posing a significant risk to organizations worldwide. This flaw in software design or implementation allows attackers to exploit the system and gain unauthorized access. Since early 2021, Iranian government-sponsored APT ac	8

Miscellaneous Associations

Other elements of context that could aid in the identification of relevance

Exploit

Microsoft

Analyst Notes & Discussion

Be the first to leave your mark here! Log in to share your views and vote.

Associated Malware

To see the evidence that has resulted in these malware associations, create a free account

Alias Description	Association Type	Votes
The Hive Malware is associated with CVE-2021-34473. Hive is a form of malware, specifically ransomware, designed to exploit and damage computer systems. It infiltrates systems through suspicious downloads, emails, or websites, often without the user's knowledge. Once inside, Hive can steal personal information, disrupt operations, or hold data hostag	Unspecified	2

Associated Threat Actors

To see the evidence that has resulted in these threatActor associations, create a free account

Alias Description	Association Type	Votes
The APT40 Threat Actor is associated with CVE-2021-34473. APT40, a threat actor attributed to China, is a cyber espionage group that primarily targets countries of strategic importance to the Belt and Road Initiative. The group is known for its use of a variety of attack vectors, notably spear-phishing emails posing as individuals likely to be of interest	Unspecified	2

Associated Vulnerabilities

To see the evidence that has resulted in these vulnerability associations, create a free account

Alias Description	Association Type	Votes
The CVE-2021-31207 Vulnerability is associated with CVE-2021-34473. CVE-2021-31207 is a significant software vulnerability that has been exploited by APT40, a group known for rapidly taking advantage of newly public vulnerabilities in widely used software. This particular vulnerability affects Atlassian Confluence and Microsoft Exchange, among other platforms, and a	Unspecified	5
The vulnerability CVE-2021-34523 is associated with CVE-2021-34473.	Unspecified	3
The Proxylogon Vulnerability is associated with CVE-2021-34473. ProxyLogon is a significant software vulnerability that was discovered in Microsoft Exchange Server. It is part of an exploit chain, including CVE-2021-26855, which is a server-side request forgery (SSRF) vulnerability. This flaw allows attackers to bypass authentication mechanisms and impersonate u	Unspecified	3
The CVE-2021-44228 Vulnerability is associated with CVE-2021-34473. CVE-2021-44228, also known as the Log4Shell vulnerability, is a significant flaw in Apache's Log4j software. Disclosed in December 2021, it quickly became one of the most severe bugs due to its widespread usage and potential for exploitation. Various Advanced Persistent Threat (APT) actors attempted	Unspecified	3
The Follina Vulnerability is associated with CVE-2021-34473. Follina (CVE-2022-30190) is a software vulnerability that was discovered and exploited in the first half of 2022. It was weaponized by TA413, a malicious entity known for its cyber attacks, shortly after its discovery and publication. The vulnerability was used to target the Sophos Firewall product,	Unspecified	2
The Log4Shell Vulnerability is associated with CVE-2021-34473. Log4Shell is a significant software vulnerability (CVE-2021-44228, CVE-2021-45046, and CVE-2021-45105) that exists in the Log4j Java-based logging utility. It was exploited by various Advanced Persistent Threat (APT) actors, including LockBit affiliates and GOLD MELODY (UNC961), to gain unauthorized	Unspecified	2
The Proxyshell Cve-2021-34473 Vulnerability is associated with CVE-2021-34473. ProxyShell (CVE-2021-34473, CVE-2021-34523, CVE-2021-31207) is a set of three chained vulnerabilities that perform unauthenticated remote code execution (RCE) in Microsoft Exchange. Identified as a significant flaw in software design or implementation, it allows unauthorized users to execute arbitra	Unspecified	2

Source Document References

Information about the CVE-2021-34473 Vulnerability was read from the documents corpus below. This display is limited to 20 results, create a free account to see more

Source Link	CreatedAt	Title
CISA	6 days ago	2023 Top Routinely Exploited Vulnerabilities \| CISA
InfoSecurity-magazine	2 months ago	14 Million Patients Impacted by US Healthcare Data Breaches in 2024
Securelist	3 months ago	New malicious web shell from the Tropic Trooper group is found in the Middle East
Securityaffairs	4 months ago	Cybersecurity agencies warn of China-linked APT40 's capabilities
CISA	4 months ago	People’s Republic of China (PRC) Ministry of State Security APT40 Tradecraft in Action \| CISA
BankInfoSecurity	6 months ago	Active Chinese Cyberespionage Campaign Rifling Email Servers
Unit42	6 months ago	Operation Diplomatic Specter: An Active Chinese Cyberespionage Campaign Leverages Rare Tool Set to Target Governmental Entities in the Middle East, Africa and Asia
Securityaffairs	6 months ago	A malware campaign exploits Microsoft Exchange Server flaws
CERT-EU	9 months ago	Sensor Intel Series: Top CVEs in December 2023
CERT-EU	10 months ago	ProxyShell-targeting Babuk Tortilla ransomware decrypted after hacker’s arrest \| #ransomware \| #cybercrime \| National Cyber Security Consulting
MITRE	a year ago	RaaS AvosLocker Incident Response Analysis
MITRE	a year ago	Ransomware Spotlight: AvosLocker
CERT-EU	a year ago	GitHub - kh4sh3i/ProxyShell: CVE-2021-34473 Microsoft Exchange Server Remote Code Execution Vulnerability
CERT-EU	a year ago	Sensor Intel Series: Top CVEs in October 2023
CERT-EU	a year ago	CISA Releases Cybersecurity Guidance for Healthcare, Public Health Organizations
CERT-EU	a year ago	What we know about BlackCat and the MGM hack
CERT-EU	a year ago	Sensor Intel Series: Top CVEs in August 2023 \| F5 Labs
Securityaffairs	a year ago	Earth Lusca expands its arsenal with SprySOCKS Linux malware
Trend Micro	a year ago	Earth Lusca Employs New Linux Backdoor, Uses Cobalt Strike for Lateral Movement
DARKReading	a year ago	Iran's Charming Kitten Pounces on Israeli Exchange Servers