China-Linked HAFNIUM Group Exploits Four Microsoft Exchange Zero-Days

Microsoft today disclosed four previously unknown vulnerabilities in on-premises versions of Exchange Server that are being actively exploited in the wild, and attributed the activity to a state-sponsored Chinese threat actor the company tracks as HAFNIUM.

The chain — dubbed ProxyLogon by security researcher Orange Tsai, who reported the underlying flaws — combines a server-side request forgery, an authentication bypass, an arbitrary file write, and an insecure deserialization to allow unauthenticated remote attackers to install web shells on internet-facing Exchange servers.

The vulnerabilities are tracked as CVE-2021-26855, CVE-2021-26857, CVE-2021-26858, and CVE-2021-27065. Microsoft released out-of-band emergency patches and a one-click mitigation tool, but security researchers estimate that tens of thousands of unpatched servers were compromised before defenders could act.

"This isn't just a HAFNIUM problem anymore," said Brian Krebs in a widely cited blog post. "The proof-of-concept is in the wild, and we're seeing a feeding frenzy of opportunistic actors — ransomware crews, cryptominers, and other state-sponsored groups — spraying web shells across the open internet."

CISA issued Emergency Directive 21-02 requiring federal civilian agencies to either patch or disconnect on-premises Exchange servers within days. The agency later confirmed it had taken the unprecedented step of requesting court approval to allow the FBI to remotely remove malicious web shells from compromised servers without owner consent.

ProxyLogon is widely regarded as a turning point in the Exchange Server threat landscape, and accelerated migration to Exchange Online for organizations that had been holding out on cloud transitions.