Microsoft Exchange Server post-auth arbitrary file write (ProxyLogon)

Successful exploitation allows an authenticated attacker to write attacker-controlled files anywhere on the vulnerable Exchange server. In practice, this enabled deployment of web shells, malware staging, persistent backdoors, mailbox and file access, credential theft, and follow-on compromise of the broader environment. Multiple sources in the content note that exploitation of vulnerable on-premises Exchange servers could lead to arbitrary code execution, persistent system access, theft of credentials and mailbox contents, and potentially compromise of Active Directory trust and identity.

If immediate patching is not possible, the content recommends temporary compensating controls including restricting untrusted connections to port 443, blocking external access to /owa/ and /ecp/, placing Exchange behind a VPN, or disconnecting vulnerable Exchange servers from the internet. Defenders should investigate for compromise dating back to at least January 1, 2021, use Microsoft's Test-ProxyLogon.ps1 and EOMT.ps1 tools where applicable, search for suspicious ASPX files in Exchange and IIS paths, review ECP/IIS logs for known exploitation patterns, and assume identity compromise if exploitation is confirmed.

Apply Microsoft's March 2021 Exchange security updates for CVE-2021-26858 and the related ProxyLogon vulnerabilities. The content states Microsoft released out-of-band patches for supported Exchange Server 2010, 2013, 2016, and 2019 builds, plus additional temporary security updates for certain older cumulative updates documented in KB5000871. Organizations should move to a supported cumulative update and ensure the March 2021 security fixes remain present after any CU upgrade, because installing a later CU without the fixes can reintroduce exposure. Microsoft guidance in the content also notes installation from an elevated command prompt and rebooting the server after patching, as the server is not protected until restart is complete. If compromise is suspected, remediation should include web shell hunting, IOC review, credential reset, and incident response rather than patching alone.