Microsoft Exchange Server Information Disclosure Vulnerability
CVE-2021-33766

7.3HIGH

Key Information:

Vendor
Microsoft
Status
Microsoft Exchange Server 2019 Cumulative Update 9
Microsoft Exchange Server 2016 Cumulative Update 20
Microsoft Exchange Server 2013
Microsoft Exchange Server 2016 Cumulative Update 19
Vendor
CVE Published:
14 July 2021

Badges

πŸ‘Ύ Exploit Exists🟑 Public PoC🟣 EPSS 92%πŸ¦… CISA Reported

Summary

Microsoft Exchange Information Disclosure Vulnerability

CISA Reported

CISA provides regional cyber and physical services to support security and resilience across the United States. CISA monitor the most dangerious vulnerabilities and have identifed as being exploited but is not known by the CISA to be used in ransomware campaigns. This is subject to change at pace

The CISA's recommendation is: Apply updates per vendor instructions.

Affected Version(s)

Microsoft Exchange Server 2013 Cumulative Update 23

Microsoft Exchange Server 2016 Cumulative Update 19 = unspecified

Microsoft Exchange Server 2016 Cumulative Update 20 = unspecified

Exploit Proof of Concept (PoC)

PoC code is written by security researchers to demonstrate the vulnerability can be exploited. PoC code is also a key component for weaponization which could lead to ransomware.

CVE-2021-33766
Created by bhdresh

CVE-2021-33766-ProxyToken
Created by demossl

References

https://portal.msrc.microsoft.com/en-US/security-guidance...
x_refsource_MISC
https://www.zerodayinitiative.com/advisories/ZDI-21-798/
x_refsource_MISC

EPSS Score

92% chance of being exploited in the next 30 days.

CVSS V3.1

Score:
7.3
Severity:
HIGH
Confidentiality:
Low
Integrity:
Low
Availability:
Low
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • πŸ¦…

    CISA Reported

  • 🟑

    Public PoC available

  • πŸ‘Ύ

    Exploit known to exist

  • Vulnerability published

  • Vulnerability Reserved

Collectors

NVD DatabaseMitre DatabaseCISA Database2 Proof of Concept(s)
.