Thursday, May 22, 2025
HomeCyber AttackNew Microsoft Exchange Zero-Day RCE Bug Actively Exploited by Hackers

New Microsoft Exchange Zero-Day RCE Bug Actively Exploited by Hackers

Published on

SIEM as a Service

Follow Us on Google News

New zero-day bugs existing in Microsoft Exchange that are not disclosed yet publicly are being exploited by the threat actors in order to perform remote code execution on affected systems.

These attacks are first spotted by security experts at Vietnamese cybersecurity outfit GTSC during a routine security checkup. Microsoft was notified privately three weeks ago of the security vulnerabilities by the researchers through their Zero Day Initiative program.

On compromised servers, the hackers deployed Chinese Chopper web shells by combining two zero-day vulnerabilities. While they deploy the malicious Chinese Chopper web shells for three primary illicit goals:-

- Advertisement - Google News
  • To gain persistence 
  • Data theft
  • Move laterally to other systems

Apart from this, it has been presumed based on the code page of the web shells, the attack is being carried out by a Chinese threat group.

https://twitter.com/GossiTheDog/status/1575580072961982464

Webshell

In this case, the web shells are installed by Antsword’s user agent. With Web Shell management support, Antsword is an open-source website admin tool that is developed in Chinese.

It is still unclear what Microsoft has done about the two security flaws so far since the company has not yet assigned a CVE ID to any of them to ensure their tracking.

The researchers reported the security vulnerabilities to Microsoft privately three weeks ago through the Zero Day Initiative.

A very limited amount of information has been released about these zero-day flaws by GTSC. However, they did reveal that the attacks that targeted the ProxyShell flaws and the requests used in this exploit chain are completely identical.

Exploit stages

Two stages are involved in the exploit in order to work:-

  • In IIS logs, exploit requests with the same format as the ProxyShell vulnerability have been detected:

autodiscover/autodiscover.json?@evil.com/<Exchange-backend-endpoint>&Email=autodiscover/autodiscover.json%3f@evil.com.

  • It is possible to implement RCE in the backend with the help of the link above which can be operated to access an element in the backend.

Detection

Consequently, GTSC has released guidelines and a tool that can be used to look up IIS log files. This tool can be used to determine if this bug has exploited any Exchange servers or not.

  • First of all, you have to use the Powershell command:

Get-ChildItem -Recurse -Path <Path_IIS_Logs> -Filter “*.log” | Select-String -Pattern ‘powershell.*autodiscover\.json.*\@.*200 

  • Secondly use the tool developed by GTSC that can be downloaded from here.

Cyber Attack with Zero Trust Networking – Download Free E-Book

Balaji
Balaji
BALAJI is an Ex-Security Researcher (Threat Research Labs) at Comodo Cybersecurity. Editor-in-Chief & Co-Founder - Cyber Security News & GBHackers On Security.

Latest articles

Hackers Target Mobile Users Using PWA JavaScript to Bypass Browser Security

A sophisticated new injection campaign has been uncovered, targeting mobile users through malicious third-party...

Docker Zombie Malware Infects Containers for Crypto Mining and Self-Replication

A novel malware campaign targeting containerized infrastructures has emerged, exploiting insecurely exposed Docker APIs...

Hackers Masquerade as Organizations to Steal Payroll Logins and Redirect Payments from Employees

ReliaQuest, hackers have deployed a cunning search engine optimization (SEO) poisoning scheme to orchestrate...

PupkinStealer Exploits Web Browser Passwords and App Tokens to Exfiltrate Data Through Telegram

A newly identified .NET-based information-stealing malware, dubbed PupkinStealer (also known as PumpkinStealer in some...

Resilience at Scale

Why Application Security is Non-Negotiable

The resilience of your digital infrastructure directly impacts your ability to scale. And yet, application security remains a critical weak link for most organizations.

Application Security is no longer just a defensive play—it’s the cornerstone of cyber resilience and sustainable growth. In this webinar, Karthik Krishnamoorthy (CTO of Indusface) and Phani Deepak Akella (VP of Marketing – Indusface), will share how AI-powered application security can help organizations build resilience by

Discussion points


Protecting at internet scale using AI and behavioral-based DDoS & bot mitigation.
Autonomously discovering external assets and remediating vulnerabilities within 72 hours, enabling secure, confident scaling.
Ensuring 100% application availability through platforms architected for failure resilience.
Eliminating silos with real-time correlation between attack surface and active threats for rapid, accurate mitigation

More like this

Hackers Target Mobile Users Using PWA JavaScript to Bypass Browser Security

A sophisticated new injection campaign has been uncovered, targeting mobile users through malicious third-party...

Docker Zombie Malware Infects Containers for Crypto Mining and Self-Replication

A novel malware campaign targeting containerized infrastructures has emerged, exploiting insecurely exposed Docker APIs...

Hackers Masquerade as Organizations to Steal Payroll Logins and Redirect Payments from Employees

ReliaQuest, hackers have deployed a cunning search engine optimization (SEO) poisoning scheme to orchestrate...