Threat Advisory: New PoC exploit for Exchange SSRF CVE-2021-26855

A new PoC exploit for Exchange SSRF (CVE-2021-26855) has been circulating in the wild. The origins appear to be from researchers in Asia. The ease of weaponization of this PoC highlights the concerns surrounding the prevalence of these issues globally. The last time we checked, Shodan was still showing vulnerable OWA servers exposed to the internet. 

In this threat advisory, we take a closer look at SSRF, a not so common technique used to manipulate. In a nutshell, a Server-Side Request Forgery (SSRF) attack, the attacker can abuse functionality on the server to read or update internal resources. 

The past 72 hours have seen multiple post-flooding MS forums with Exchange admins asking for help and advice, attempting to gauge where they stand given the chaos of the situation.

Screenshot taken from MS Forums

Reviewing telemetry data we have identified attempts to target customers in the following industries:  

In this micro blog we will take a closer look at at how the new PoC circulating in the wild actually works

CVE-2021-26855 is a server-side request forgery (SSRF) vulnerability in Exchange, which allows the attacker to send arbitrary HTTP requests and authenticate as the Exchange server. 

The PoC exploit sends the following HTTP request to the vulnerable Microsoft Exchange server 

The vulnerable Microsoft Exchange server responds back with the following message