Microsoft Exchange Server Pre-auth Path Confusion vulnerability (CVE-2021-34473)
Description
Microsoft Exchange Server contains a pre-authentication path confusion vulnerability in its Autodiscover service (CVE-2021-34473). This flaw allows attackers to bypass authentication mechanisms and access backend resources that should be restricted. When chained with other vulnerabilities, such as deserialization flaws, this access can be leveraged to achieve remote code execution on the Exchange server without requiring valid credentials.
Remediation
Apply the latest Microsoft Exchange Server Cumulative Updates (CU) immediately. For Exchange Server 2019, install CU10 (build 15.2.858.5) or later. For Exchange Server 2016, install CU21 (build 15.1.2242.4) or later. For Exchange Server 2013, install CU23 (build 15.0.1497.18) or later. If immediate patching is not possible, implement URL rewrite rules to block malicious Autodiscover requests as a temporary mitigation. After patching, review Exchange logs for indicators of compromise, including unusual Autodiscover requests with path traversal patterns (e.g., requests containing '/autodiscover/autodiscover.json'). Verify that no unauthorized administrative accounts or web shells have been created on the server.