Security Update News
Update Information
| Title | Multiple Microsoft Exchange zero-day vulnerabilities – ProxyLogon Exploit Chain |
|---|---|
| Update ID | AKB:1BA7DC74-F17D-4C34-9A6C-2F6B39787AA2 |
| Type | attackerkb |
| Published | 2025-05-05T00:00:00 |
| Last Updated | 2025-05-05T00:00:00 |
Security Impact
| CVSS Score | 9.1 |
|---|---|
| Severity | CRITICAL |
| Attack Vector | NETWORK |
Affected CVEs
- CVE-2021-26855
- CVE-2021-26857
- CVE-2021-26858
- CVE-2021-27065
Update Details
In the attacks observed, the threat actor used these vulnerabilities to access on-premises Exchange servers which enabled access to email accounts, and allowed installation of additional malware to facilitate long-term access to victim environments. Microsoft Threat Intelligence Center (MSTIC) attributes this campaign with high confidence to HAFNIUM, a group assessed to be state-sponsored and operating out of China, based on observed victimology, tactics and procedures.
**Recent assessments:**
**ccondon-r7** at March 03, 2021 4:10pm UTC reported:
Microsoft released details on an active state-sponsored threat campaign (attributed to HAFNIUM) that is exploiting on-prem Exchange Server installations. Microsoft’s observation was that these were limited, targeted attacks, but as of March 3, 2021, ongoing mass exploitation has been confirmed by multiple sources. More in the Rapid7 analysis tab.
**NinjaOperator** at June 29, 2021 9:51pm UTC reported:
Microsoft released details on an active state-sponsored threat campaign (attributed to HAFNIUM) that is exploiting on-prem Exchange Server installations. Microsoft’s observation was that these were limited, targeted attacks, but as of March 3, 2021, ongoing mass exploitation has been confirmed by multiple sources. More in the Rapid7 analysis tab.
Assessed Attacker Value: 5
Assessed Attacker Value: 5Assessed Attacker Value: 5