What We Do
How we do it
Our Threat Response Unit (TRU) publishes security advisories, blogs, reports, industry publications and webinars based on its original research and the insights driven through proactive threat hunts.
View Threat Intelligence Resources →
Jun 03, 2022
UPDATE: CVE-2022-26134 – Confluence Zero-Day Vulnerability
THE THREAT June 3rd Update: Atlassian has released security patches to address this vulnerability. On June 2nd, 2022, Atlassian disclosed a critical vulnerability impacting the Confluence…
Read More
View all Advisories →
About Us
eSentire is The Authority in Managed Detection and Response Services, protecting the critical data and applications of 1200+ organizations in 75+ countries from known and unknown cyber threats. Founded in 2001, the company’s mission is to hunt, investigate and stop cyber threats before they become business disrupting events.
Read about how we got here
Leadership Work at eSentire
May 17, 2022
Cybersecurity Leader eSentire Continues Its Commitment to Rigorous Security Standards Earning PCI DSS Certification
Waterloo, ON, May 17, 2022 — eSentire, the Authority in Managed Detection and Response (MDR), maintains one of the most secure and robust IT environments of any MDR provider in the industry. To that end, eSentire today announced that it has received the Payment Card Industry Data Security Standard (PCI DSS) certification, considered one of the most stringent and comprehensive payment card…
Read More
e3 Ecosystem
We provide sophisticated cybersecurity solutions for Managed Security Service Providers (MSSPs), Managed Service Providers (MSPs), and Value-Added Resellers (VARs). Find out why you should partner with eSentire, the Authority in Managed Detection and Response, today.
Learn more
Apply to become an e3 ecosystem partner with eSentire, the Authority in Managed Detection and Response.
Login to the Partner Portal for resources and content for current partners.
Security advisories — Aug 24, 2021

UPDATE: PoC Released, Active Exploitation of Exchange Vulnerabilities Observed

3 minutes read
Speak With A Security Expert Now


eSentire has observed active exploitation of the ProxyShell vulnerabilities; external sources have confirmed attacks are ongoing. Multiple threat actor groups are exploiting the cluster of Exchange vulnerabilities known as ProxyShell: CVE-2021-31207, CVE-2021-34523, CVE-2021-34473. Exploitation of the ProxyShell vulnerabilities may result in Remote Code Execution (RCE). In observed attacks, threat actors have been identified deploying webshells to unpatched Exchange servers for later access.

Security patches for all three vulnerabilities have been available since May 2021. It is critical that organizations ensure security patches have been deployed. If the relevant security patches have not already been deployed and the vulnerable server is exposed to the Internet, organizations should assume exploitation has occurred.

What we’re doing about it

What you should do about it

Additional information

ProxyShell is comprised of three Exchange vulnerabilities chained together to execute malicious code on vulnerable servers:

The attack was demonstrated at Pwn2own 2021 in April 2021. Microsoft patched the vulnerabilities in their April and May 2021 security updates respectively. CVE-2021-34473 and CVE-2021-34523 were disclosed in July but originally patched in the April 2021 security updates.

Following researcher Orange Tsai’s technical reveal of the vulnerabilities at Black Hat 2021, attacker interest has grown. eSentire security teams observed Proof-of-Concept code posted to GitHub and Metasploit modules in mid-August, greatly facilitating attacks. Widespread exploitation in the wild was observed in external reports ,and eSentire security teams have responded to several incidents at our customers.

Incident Observables

In observed exploitation events, webshells are uploaded to vulnerable Exchange servers via ProxyShell vulnerabilities and remotely accessed via port 443 from the Internet.

Webshell Creation

Webshell Interaction

Aspx Webshell Content

IP Addresses Observed in Exploitation Events:



[1] https://us-cert.cisa.gov/ncas/current-activity/2021/08/21/urgent-protect-against-active-exploitation-proxyshell
[2] https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-31207
[3] https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34523
[4] https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34473
[5] https://www.zerodayinitiative.com/blog/2021/8/17/from-pwn2own-2021-a-new-attack-surface-on-microsoft-exchange-proxyshell
[6] https://twitter.com/DaveKleinatland/status/1429690829166235648

Join 100,000+ Security Leaders

Get notified when there's a new security advisory, and receive the latest news, intel and helpful tools & assets. You can unsubscribe anytime.

By clicking the button below I confirm that I have read and agree to the eSentire privacy policy.

View Most Recent Blogs