If you run on-premises Microsoft Exchange servers — or more critically, if your clients do — stop reading this and go patch. Seriously. Then come back.
On Tuesday, Microsoft released emergency out-of-band security updates for four zero-day vulnerabilities in Exchange Server 2013, 2016, and 2019. These aren’t theoretical. They’re being actively exploited in the wild by a state-sponsored group Microsoft has dubbed “Hafnium,” believed to be operating out of China. And the scale of this thing is staggering.
The vulnerabilities — CVE-2021-26855, CVE-2021-26857, CVE-2021-26858, and CVE-2021-27065 — can be chained together to achieve unauthenticated remote code execution on any internet-facing Exchange server. An attacker can read emails, plant web shells for persistent access, and move laterally through your network. All without credentials.
How the Attack Chain Works#
The chain starts with CVE-2021-26855, a server-side request forgery (SSRF) vulnerability that allows an attacker to send arbitrary HTTP requests and authenticate as the Exchange server itself. This is the initial foothold — no authentication required, just an HTTPS connection to port 443.
From there, CVE-2021-26857 exploits an insecure deserialization vulnerability in the Unified Messaging service. If that service is enabled (it often is), the attacker gains SYSTEM-level code execution. The remaining two CVEs provide post-authentication arbitrary file write capabilities, which are being used to drop web shells — typically in accessible directories like C:\inetpub\wwwroot\aspnet_client\.
What makes this particularly nasty is the simplicity. The SSRF vulnerability means any Exchange server with Outlook Web Access (OWA) exposed to the internet is a target. And there are hundreds of thousands of these servers. Volexity, who discovered the initial exploitation, reports seeing activity going back to at least January 6, 2021. That’s nearly two months of active exploitation before patches were available.
The Scale Problem#
Reports are already suggesting that at least 30,000 organizations in the United States alone have been compromised, and that number is likely to grow significantly. Brian Krebs is reporting that the attackers appeared to dramatically increase their scanning and exploitation activity in the days before the patches dropped, as if they knew the window was closing.
This raises uncomfortable questions about the disclosure timeline. Microsoft was notified of the vulnerability by Volexity and DEVCORE in early January, but patches didn’t ship until March 2. In the intervening two months, exploitation went from targeted to broad. Whether the attackers learned of the impending patches through their own intelligence or whether there was a leak in the disclosure process is an open question.
For smaller organizations — the ones without dedicated security teams — this is a catastrophe in slow motion. Many are running Exchange precisely because they don’t have the resources for complex cloud migrations. They’re now expected to not only patch but also forensically examine their servers for web shells, check for signs of lateral movement, and potentially rebuild compromised systems. That’s a tall order for a two-person IT shop.
The Cloud Migration Argument (and Its Limits)#
The inevitable take is already circulating: “This wouldn’t have happened on Exchange Online.” And it’s technically true — Exchange Online (Microsoft 365) is not affected by these vulnerabilities. Microsoft manages the infrastructure, applies patches immediately, and handles the security monitoring.
But let’s not pretend cloud migration is a simple solution for everyone. Organizations run on-premises Exchange for reasons: regulatory requirements, data sovereignty concerns, legacy integrations, or simply because the per-user-per-month cost of Microsoft 365 doesn’t work for their budget. Telling a 200-person nonprofit to “just move to the cloud” after they’ve been breached is not helpful.
That said, this incident will absolutely accelerate Exchange Online migrations. The operational burden of running your own email infrastructure was already hard to justify, and this tips the scales further. If you can’t patch four zero-days within hours of disclosure, you probably shouldn’t be running the server yourself.
What To Do Right Now#
If you’re responsible for Exchange servers:
- Patch immediately. Updates are available for Exchange 2013 CU23, 2016 CU18/CU19, and 2019 CU7/CU8.
- Run Microsoft’s detection script. They’ve published a PowerShell script that checks for known indicators of compromise.
- Search for web shells. Check
C:\inetpub\wwwroot\aspnet_client\and your Exchange installation directories for unexpected.aspxfiles. - Check OAB virtual directory configurations. Attackers are modifying these to point to their web shells.
- Assume compromise. If your server was internet-facing and unpatched before March 2, treat it as compromised until you can prove otherwise.
My Take#
We’re barely three months past the SolarWinds disclosure, and here we are again. Different attack vector, different actors, but the same fundamental problem: critical infrastructure running software that’s difficult to patch quickly, managed by teams that are stretched thin.
I’ve spent three decades watching the industry slowly move toward “someone else’s problem” as a security model — whether that’s managed services, cloud platforms, or SaaS. For all the valid criticisms of that approach, incidents like this make the case more eloquently than any sales pitch could.
The Hafnium attack is going to be a defining cybersecurity event of 2021. The number of compromised organizations is enormous, and the cleanup will take months. If you’re in a position to help — especially smaller organizations without security expertise — now is the time.