CVE-2021-34473

Vulnerability Profile Updated 2 months ago
Download STIX
Preview STIX
CVE-2021-34473 is a significant software vulnerability that was discovered in Microsoft Exchange Server. This flaw, along with two others (CVE-2021-31207 and CVE-2021-34523), forms a chain of vulnerabilities known as ProxyShell. These vulnerabilities can be exploited together by remote attackers to gain unauthorized access, take control of an unpatched server, and execute malicious activities. The exploitation of these vulnerabilities has been frequently reported, making them some of the most routinely exploited bugs, second only to the Fortinet SSL VPN vulnerability (CVE-2018-13379). Threat actors have effectively used the ProxyShell vulnerabilities to infiltrate victims' infrastructures. Specifically, they have leveraged these flaws to inject an info stealer into the Microsoft Exchange Server. The combination of these three vulnerabilities has been identified as one of the most common attack vectors targeting Microsoft Exchange servers. Notably, the ProxyShell vulnerabilities were among the most exploited vulnerabilities last year, following the Fortinet SSL VPN vulnerability. Several protective measures have been put in place to guard against these threats. For instance, Check Point IPS provides protection against this threat, including the Microsoft Exchange Server Security Feature Authentication Bypass (CVE-2021-31207) and the Microsoft Exchange Server Remote Code Execution (CVE-2021-34473). Despite these protective measures, various threat actors, including Cadet Blizzard, have continued to exploit these vulnerabilities, often alongside other flaws such as the Atlassian Confluence bug (CVE-2021-26084) and Log4Shell (CVE-2021-44228).
What's your take? (Question 1 of 5)
Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.
Possible Aliases / Cluster overlaps
It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at.
IDVotesProfile Description
Proxyshell
7
ProxyShell is a critical vulnerability affecting Microsoft Exchange email servers. Identified as CVE-2021-34473, it is a flaw in software design or implementation that can be exploited by attackers to gain unauthorized access to systems. The vulnerability was actively exploited by threat actors, cau
Miscellaneous Associations
Other elements of context that could aid in the identification of relevance
Exploit
Microsoft
Vpn
CISA
Proxy
Israeli
Eset
Apt
Chromium
Ransomware
Confluence
MGM
Apache
Backdoor
exploited
Remote Code ...
Blizzard
flaw
bugs
Vulnerability
Associated Malware
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
HiveUnspecified
2
Hive is a malicious software, or malware, that infiltrates systems to exploit and damage them. This malware has been associated with Volt Typhoon, who exfiltrated NTDS.dit and SYSTEM registry hive to crack passwords offline. The Hive operation was primarily involved in port scanning, credential thef
Associated Threat Actors
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
APT40Unspecified
2
APT40, a Chinese cyber espionage group suspected to be linked to the People's Republic of China (PRC) Ministry of State Security, has been identified as a significant threat actor. The group typically targets countries strategically important to China's Belt and Road Initiative. Over the years, APT4
AlphvUnspecified
1
AlphV, also known as BlackCat, is a notable threat actor in the cybersecurity landscape. This group has been involved in numerous high-profile attacks, including stealing 5TB of data from Morrison Community Hospital and compromising Clarion, a global manufacturer of audio and video equipment for car
BlackbyteUnspecified
1
BlackByte, a threat actor known for its malicious activities, has been on the radar of cybersecurity agencies since its emergence in July 2021. Notorious for targeting critical infrastructure, BlackByte attracted the attention of the Federal Bureau of Investigation (FBI) and the US Secret Service (U
Cadet BlizzardUnspecified
1
Cadet Blizzard, a threat actor group associated with Russia's GRU military intelligence unit, has been identified by Microsoft as the perpetrator of destructive cyber attacks in Ukraine using wiper malware. The group has been active since at least 2020 and has recently gained some success, according
Charming KittenUnspecified
1
Charming Kitten, an Iranian Advanced Persistent Threat (APT) group, also known as ITG18, Phosphorous, and TA453, is a significant cybersecurity threat. This threat actor has been associated with numerous malicious activities, exhibiting advanced and sophisticated social-engineering efforts. The grou
Associated Vulnerabilities
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
CVE-2021-31207Unspecified
5
CVE-2021-31207 is a significant software vulnerability that affects Atlassian Confluence and Microsoft Exchange. It was discovered that Advanced Persistent Threat group APT40 rapidly exploits this flaw, along with other public vulnerabilities in widely used software like Log4J (CVE-2021-44228) and M
CVE-2021-34523Unspecified
3
None
CVE-2021-44228Unspecified
3
CVE-2021-44228, also known as the Log4j vulnerability, is a software flaw found in Apache Log4j, a widely used logging utility. Despite multiple attempts by Advanced Persistent Threat (APT) actors to exploit this vulnerability in the ServiceDesk system, these efforts were unsuccessful. However, it b
Log4ShellUnspecified
2
Log4Shell is a software vulnerability, specifically a flaw in the design or implementation of the popular Java logging library, Log4j. Identified as CVE-2021-44228, this vulnerability allows an attacker to remotely execute arbitrary code, often leading to full system compromise. Advanced Persistent
FollinaUnspecified
2
Follina, also known as CVE-2022-30190, is a notable software vulnerability that was discovered and exploited in the first half of 2022. This flaw, found in the Microsoft Windows Support Diagnostic Tool (MSDT), was weaponized by TA413, a cyber threat actor group with suspected ties to China. The grou
ProxylogonUnspecified
2
ProxyLogon is a notable software vulnerability that surfaced in the cybersecurity landscape. It was part of an exploit chain, including CVE-2021-26855, a server-side request forgery (SSRF) vulnerability in Microsoft Exchange Server. This flaw allowed attackers to bypass authentication mechanisms and
Proxyshell Cve-2021-34473Unspecified
2
ProxyShell (CVE-2021-34473, CVE-2021-34523, CVE-2021-31207) is a set of three chained vulnerabilities that perform unauthenticated remote code execution (RCE) in Microsoft Exchange. Identified as a significant flaw in software design or implementation, it allows unauthorized users to execute arbitra
CVE-2021-40539Unspecified
1
None
CVE-2018-13379Unspecified
1
CVE-2018-13379 is a critical vulnerability that affects FortiOS and Fortiguard, presenting a flaw in their software design or implementation. This specific vulnerability, which can expose sensitive credentials, has been frequently exploited, making the top 15 most routinely exploited list in both 20
Proxylogon CveUnspecified
1
None
Proxyshell CveUnspecified
1
None
ProxynotshellUnspecified
1
ProxyNotShell is a software vulnerability, specifically a flaw in the design or implementation of Microsoft Exchange Server. It was first identified and exploited through CVE-2022-41082, as reported by Palo Alto Networks' Unit 42. The ProxyNotShell exploit method leveraged an AutoDiscover endpoint t
CVE-2021-26084Unspecified
1
CVE-2021-26084 is a critical vulnerability related to Atlassian's Confluence software. The flaw in the software design or implementation was first exploited as a zero-day, before its public disclosure in June 2022. It allowed remote attackers to execute code on a Confluence Server via injection atta
CVE-2022-41040Unspecified
1
CVE-2022-41040 is a software vulnerability that was discovered in late September 2022, along with another flaw, CVE-2022-41082. These two zero-day vulnerabilities were collectively known as ProxyNotShell. The vulnerabilities were exploited to compromise Microsoft Exchange through the proxy mechanism
Source Document References
Information about the CVE-2021-34473 Vulnerability was read from the documents corpus below. This display is limited to 20 results, create a free account to see more
SourceCreatedAtTitle
Securityaffairs
17 days ago
Cybersecurity agencies warn of China-linked APT40 's capabilities
CISA
18 days ago
People’s Republic of China (PRC) Ministry of State Security APT40 Tradecraft in Action | CISA
BankInfoSecurity
2 months ago
Active Chinese Cyberespionage Campaign Rifling Email Servers
Unit42
2 months ago
Operation Diplomatic Specter: An Active Chinese Cyberespionage Campaign Leverages Rare Tool Set to Target Governmental Entities in the Middle East, Africa and Asia
Securityaffairs
2 months ago
A malware campaign exploits Microsoft Exchange Server flaws
CERT-EU
5 months ago
Sensor Intel Series: Top CVEs in December 2023
CERT-EU
7 months ago
ProxyShell-targeting Babuk Tortilla ransomware decrypted after hacker’s arrest | #ransomware | #cybercrime | National Cyber Security Consulting
MITRE
7 months ago
RaaS AvosLocker Incident Response Analysis
MITRE
7 months ago
Ransomware Spotlight: AvosLocker
CERT-EU
8 months ago
GitHub - kh4sh3i/ProxyShell: CVE-2021-34473 Microsoft Exchange Server Remote Code Execution Vulnerability
CERT-EU
8 months ago
Sensor Intel Series: Top CVEs in October 2023
CERT-EU
8 months ago
CISA Releases Cybersecurity Guidance for Healthcare, Public Health Organizations
CERT-EU
10 months ago
What we know about BlackCat and the MGM hack
CERT-EU
10 months ago
Sensor Intel Series: Top CVEs in August 2023 | F5 Labs
Securityaffairs
10 months ago
Earth Lusca expands its arsenal with SprySOCKS Linux malware
Trend Micro
10 months ago
Earth Lusca Employs New Linux Backdoor, Uses Cobalt Strike for Lateral Movement
DARKReading
10 months ago
Iran's Charming Kitten Pounces on Israeli Exchange Servers
CERT-EU
a year ago
From Caribbean shores to your devices: analyzing Cuba ransomware – GIXtools
Securelist
a year ago
Analysis of Cuba ransomware gang activity and tooling
CERT-EU
a year ago
Qualys Top 20 Exploited Vulnerabilities | Qualys Security Blog