NAVANEM
CVE-2021-34473⚡ exploited in the wild

ProxyShell, Exchange Server pre-auth RCE chain

Microsoft Exchange Server Remote Code Execution Vulnerability. A pre-authentication path-confusion issue in the Autodiscover URL handler allows an attacker to access privileged endpoints normally reserved for authenticated mailbox owners. When chained with CVE-2021-34523 (privilege elevation) and CVE-2021-31207 (post-auth RCE), it yields full SYSTEM execution.

Overview

CVE-2021-34473 is a critical pre-authentication vulnerability in Microsoft Exchange Server, forming the first link in the infamous "ProxyShell" exploit chain. Discovered by security researcher Orange Tsai and disclosed at Black Hat USA 2021, this vulnerability allows unauthenticated attackers to access privileged backend endpoints by exploiting a path confusion issue in the Autodiscover URL handler. When chained with CVE-2021-34523 (privilege elevation) and CVE-2021-31207 (post-authentication arbitrary file write), attackers achieve full SYSTEM-level remote code execution without any credentials.

Technical Details

The vulnerability exists in Exchange Server's Client Access Service (CAS) proxy architecture. A parsing bug in the Autodiscover frontend allows attackers to manipulate request routing, effectively impersonating any user when accessing backend services. The attack flow proceeds as follows:

  1. CVE-2021-34473: Attacker sends a specially crafted request that exploits the path confusion, gaining access to privileged endpoints as if authenticated
  2. CVE-2021-34523: The attacker leverages the PowerShell remoting endpoint to escalate privileges and act as an arbitrary mailbox owner
  3. CVE-2021-31207: Using the mailbox export feature, attacker-controlled content is written to disk, typically placing a webshell in the web root

Common webshell drop locations include:

  • inetpub\wwwroot\aspnet_client
  • %ExchangeInstallPath%\FrontEnd\HttpProxy\owa\auth\
  • %ExchangeInstallPath%\FrontEnd\HttpProxy\ews\auth\

Impact

Mass exploitation began within 48 hours of public disclosure. Multiple ransomware groups including Conti, LockFile, BlackByte, and Babuk weaponized ProxyShell as their primary initial access vector throughout late 2021. Post-exploitation activities typically involved deploying Cobalt Strike beacons, running BloodHound for Active Directory reconnaissance, and establishing persistence through scheduled tasks. Since Exchange Server is tightly integrated with Active Directory, compromise often led to full domain takeover.

Mitigation

  • Apply Microsoft's July 2021 Security Update or later cumulative updates immediately
  • Exchange 2013 requires CU23, Exchange 2016 requires CU20+, Exchange 2019 requires CU9+
  • Consider migration to Exchange Online or Exchange Server Subscription Edition (SE) for ongoing security support
  • Restrict external access to Exchange services where possible

Detection

  • Hunt for unexpected .aspx files in HttpProxy authentication directories
  • Review IIS logs for anomalous Autodiscover requests with path manipulation patterns
  • Audit Active Directory for newly created admin accounts or group membership changes
  • Inspect scheduled tasks on Exchange servers for PowerShell-based persistence
  • Monitor for suspicious IIS module installations