CVE-2021-34473

Vulnerability updated 4 months ago (2024-05-22T19:17:29.153Z)
Download STIX
Preview STIX
CVE-2021-34473 is a significant software vulnerability that was discovered in Microsoft Exchange Server. This flaw, along with two others (CVE-2021-31207 and CVE-2021-34523), forms a chain of vulnerabilities known as ProxyShell. These vulnerabilities can be exploited together by remote attackers to gain unauthorized access, take control of an unpatched server, and execute malicious activities. The exploitation of these vulnerabilities has been frequently reported, making them some of the most routinely exploited bugs, second only to the Fortinet SSL VPN vulnerability (CVE-2018-13379). Threat actors have effectively used the ProxyShell vulnerabilities to infiltrate victims' infrastructures. Specifically, they have leveraged these flaws to inject an info stealer into the Microsoft Exchange Server. The combination of these three vulnerabilities has been identified as one of the most common attack vectors targeting Microsoft Exchange servers. Notably, the ProxyShell vulnerabilities were among the most exploited vulnerabilities last year, following the Fortinet SSL VPN vulnerability. Several protective measures have been put in place to guard against these threats. For instance, Check Point IPS provides protection against this threat, including the Microsoft Exchange Server Security Feature Authentication Bypass (CVE-2021-31207) and the Microsoft Exchange Server Remote Code Execution (CVE-2021-34473). Despite these protective measures, various threat actors, including Cadet Blizzard, have continued to exploit these vulnerabilities, often alongside other flaws such as the Atlassian Confluence bug (CVE-2021-26084) and Log4Shell (CVE-2021-44228).
Description last updated: 2024-05-22T19:16:21.365Z
What's your take? (Question 1 of 5)
Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.
Possible Aliases / Cluster overlaps
It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at.
IDVotesProfile Description
Proxyshell
7
ProxyShell is a series of vulnerabilities affecting Microsoft Exchange email servers. These flaws in software design or implementation have been exploited by threat actors to gain unauthorized access and control over targeted systems. The ProxyShell vulnerability, officially tracked as CVE-2021-3447
Miscellaneous Associations
Other elements of context that could aid in the identification of relevance
Microsoft
Exploit
Analyst Notes & Discussion
Be the first to leave your mark here! Log in to share your views and vote.
Associated Malware
To see the evidence that has resulted in these malware associations, create a free account
IDTypeVotesProfile Description
HiveUnspecified
2
Hive is a malicious software (malware) that has been used by the cybercriminal group, Hunters International, to launch ransomware attacks since October of last year. The group operates as a ransomware-as-a-service (RaaS) provider, spreading Hive rapidly through collaborations with less sophisticated
Associated Threat Actors
To see the evidence that has resulted in these threatActor associations, create a free account
IDTypeVotesProfile Description
APT40Unspecified
2
APT40 is a China-attributed cyber espionage group known for targeting countries strategically significant to the Belt and Road Initiative. The group has been linked to at least 51 different code families, exhibiting a broad range of capabilities. APT40 typically employs spear-phishing emails, often
Associated Vulnerabilities
To see the evidence that has resulted in these vulnerability associations, create a free account
IDTypeVotesProfile Description
CVE-2021-31207Unspecified
5
CVE-2021-31207 is a significant software vulnerability that has been exploited by APT40, a group known for rapidly taking advantage of newly public vulnerabilities in widely used software. This particular vulnerability affects Atlassian Confluence and Microsoft Exchange, among other platforms, and a
CVE-2021-44228Unspecified
3
CVE-2021-44228, also known as the Log4Shell vulnerability, is a significant flaw in Apache's Log4j software. Disclosed in December 2021, it quickly became one of the most severe bugs due to its widespread usage and potential for exploitation. Various Advanced Persistent Threat (APT) actors attempted
CVE-2021-34523Unspecified
3
None
ProxylogonUnspecified
2
ProxyLogon is a significant software vulnerability, specifically a server-side request forgery (SSRF) vulnerability in Microsoft Exchange Server. Identified as CVE-2021-26855, it forms part of the ProxyLogon exploit chain and allows attackers to bypass authentication mechanisms and impersonate users
FollinaUnspecified
2
Follina, also known as CVE-2022-30190, is a notable software vulnerability that was discovered and exploited in the first half of 2022. This flaw, found in the Microsoft Windows Support Diagnostic Tool (MSDT), was weaponized by TA413, a cyber threat actor group with suspected ties to China. The grou
Log4ShellUnspecified
2
Log4Shell is a significant software vulnerability that exists within the Log4j Java-based logging utility. The vulnerability, officially designated as CVE-2021-44228, allows potential attackers to execute arbitrary code on targeted systems. Advanced Persistent Threat (APT) actors, including LockBit
Proxyshell Cve-2021-34473Unspecified
2
ProxyShell (CVE-2021-34473, CVE-2021-34523, CVE-2021-31207) is a set of three chained vulnerabilities that perform unauthenticated remote code execution (RCE) in Microsoft Exchange. Identified as a significant flaw in software design or implementation, it allows unauthorized users to execute arbitra
Source Document References
Information about the CVE-2021-34473 Vulnerability was read from the documents corpus below. This display is limited to 20 results, create a free account to see more
PreviewSource LinkCreatedAtTitle
Securelist
2 days ago
New malicious web shell from the Tropic Trooper group is found in the Middle East
Securityaffairs
2 months ago
Cybersecurity agencies warn of China-linked APT40 's capabilities
CISA
2 months ago
People’s Republic of China (PRC) Ministry of State Security APT40 Tradecraft in Action | CISA
BankInfoSecurity
3 months ago
Active Chinese Cyberespionage Campaign Rifling Email Servers
Unit42
3 months ago
Operation Diplomatic Specter: An Active Chinese Cyberespionage Campaign Leverages Rare Tool Set to Target Governmental Entities in the Middle East, Africa and Asia
Securityaffairs
4 months ago
A malware campaign exploits Microsoft Exchange Server flaws
CERT-EU
7 months ago
Sensor Intel Series: Top CVEs in December 2023
CERT-EU
8 months ago
ProxyShell-targeting Babuk Tortilla ransomware decrypted after hacker’s arrest | #ransomware | #cybercrime | National Cyber Security Consulting
MITRE
9 months ago
RaaS AvosLocker Incident Response Analysis
MITRE
9 months ago
Ransomware Spotlight: AvosLocker
CERT-EU
9 months ago
GitHub - kh4sh3i/ProxyShell: CVE-2021-34473 Microsoft Exchange Server Remote Code Execution Vulnerability
CERT-EU
9 months ago
Sensor Intel Series: Top CVEs in October 2023
CERT-EU
10 months ago
CISA Releases Cybersecurity Guidance for Healthcare, Public Health Organizations
CERT-EU
a year ago
What we know about BlackCat and the MGM hack
CERT-EU
a year ago
Sensor Intel Series: Top CVEs in August 2023 | F5 Labs
Securityaffairs
a year ago
Earth Lusca expands its arsenal with SprySOCKS Linux malware
Trend Micro
a year ago
Earth Lusca Employs New Linux Backdoor, Uses Cobalt Strike for Lateral Movement
DARKReading
a year ago
Iran's Charming Kitten Pounces on Israeli Exchange Servers
CERT-EU
a year ago
From Caribbean shores to your devices: analyzing Cuba ransomware – GIXtools
Securelist
a year ago
Analysis of Cuba ransomware gang activity and tooling