Microsoft Introduces One-Click ProxyLogon Fix Tool

One-Click ProxyLogon Fix

Microsoft developers have released a tool called EOMT (Exchange On-premises Mitigation Tool) designed to install updates on Microsoft Exchange servers and one-click ProxyLogon vulnerabilities fix.

The utility is already available for download on the company’s GitHub.

In early March 2021, Microsoft engineers released unscheduled patches for four vulnerabilities in the Exchange mail server, which the researchers dubbed ProxyLogon (CVE-2021-26855, CVE-2021-26857, CVE-2021-26858, and CVE-2021-27065).

These vulnerabilities can be chained together and exploited to allow an attacker to authenticate to the Exchange server, gain administrator rights, install malware, and steal data.said Microsoft engineers.

Experts from Palo Alto Networks and Microsoft estimate that there are still about 80,000 vulnerable Exchange servers available on the network that could be compromised.

Currently, attacks on vulnerable servers are carried out by about 10 hack groups, deploying web shells, miners and ransomware on the servers.

First of all, EOMT is intended for companies without their own IT specialists who could understand the ProxyLogon problem and correctly install the necessary updates.

The fact is that there can be problems installing patches too. For example, it was previously reported that updates for Microsoft Exchange can be installed without many necessary patches if UAC is enabled. As a result, you need to install updates only on behalf of the administrator.

Microsoft now hopes that anyone in the company can handle the EOMT download and update by simply clicking on EOMT.ps1. The script will install the URL Rewrite configuration on the server, which will be enough to fix the CVE-2021-26855 bug, which is the starting point for the exploit chain, known collectively as ProxyLogon.

The tool also includes a copy of Microsoft Safety Scanner, which will scan Exchange servers for known web shells that were previously seen attacking ProxyLogon. If necessary, Microsoft Safety Scanner will remove the backdoor and block access to cybercriminals.

Let me also remind you that recently Researcher Published PoC Exploit for ProxyLogon Vulnerabilities in Microsoft Exchange, though after a while GitHub removed ProxyLogon exploit and has been criticized.

By Vladimir Krasnogolovy

Vladimir is a technical specialist who loves giving qualified advices and tips on GridinSoft's products. He's available 24/7 to assist you in any question regarding internet security.

Leave a comment

Your email address will not be published. Required fields are marked *