Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CVE-2021-26855 PoC — Microsoft Exchange Server Remote Code Execution Vulnerability

Source
https://github.com/SCS-Labs/HAFNIUM-Microsoft-Exchange-0day
Associated Vulnerability
Title:Microsoft Exchange Server Remote Code Execution Vulnerability (CVE-2021-26855)
Description:Microsoft Exchange Server Remote Code Execution Vulnerability
Description
CVE-2021-26855, CVE-2021-26857, CVE-2021-26858, CVE-2021-27065
Readme
![](https://github.com/SCS-Labs/Images/raw/main/SCS%20-%20HAFNIUM.png)



- #### [Indicators](/indicators/README.md)
- #### [Timeline](Timeline.md)
- #### [Tool Detections](/tool-detections/README.md)
- #### [Post Exploitation](/post-exploitation/README.md)
- #### [Mitigations and Detections](/mitigations-and-detections/README.md)
- #### [Vendor Security Research](/vendor-security-research/README.md)
- #### [Government or Agency Security Research](/gov-sec-research/README.md)
- #### [Tweets](Tweets.md)
- #### [Cool Resources](/resources/README.md)


## To-Do Checklist

- [ ] Indicators 
- [X] Timeline
- [ ] Tool Detections
- [ ] Post Exploitation
- [ ] Mitigations and Detections
- [ ] Vendor Security Research
- [ ] Government or Agency Security Research
- [X] Tweets
- [ ] Cool Resources


# Contributing

If you want to Contribute to this all-in-one resource source for HAFNIUM Microsoft Exchange 0Day, please just do a pull request.
File Snapshot

 [4.0K]  /data/pocs/fbd37aaf2dc8b02a37b383db94afa287ca8c81bf
├── [1.6K]  CVE.md
├── [ 432]  github-repos.md
├── [4.0K]  gov-sec-research
│   ├── [   0]  CERT-Latvia.md
│   ├── [   0]  CISA.md
│   └── [  67]  README.md
├── [4.0K]  indicators
│   ├── [ 522]  hashes
│   ├── [ 212]  ip-addresses
│   ├── [3.1K]  README.md
│   ├── [ 933]  useragents
│   ├── [ 189]  webshell_names
│   └── [ 721]  webshell_paths
├── [4.0K]  mitigations-and-detections
│   └── [  32]  README.md
├── [4.0K]  post-exploitation
│   └── [  22]  README.md
├── [ 945]  README.md
├── [4.0K]  resources
│   └── [ 716]  README.md
├── [4.0K]  Timeline.md
├── [4.0K]  tool-detections
│   ├── [4.0K]  Azure-Sentinel
│   │   ├── [ 217]  Downloads of PowerCat
│   │   ├── [ 339]  Exchange PowerShell Snapin being loaded
│   │   ├── [1.5K]  HAFNIUMNewUMServiceChildProcess.yaml
│   │   ├── [1.4K]  HAFNIUMSuspiciousExchangeRequestPattern.yaml
│   │   ├── [1.3K]  HAFNIUMSuspiciousFileDownloads.yaml
│   │   ├── [1.2K]  HAFNIUMSuspiciousIMServiceError.yaml
│   │   ├── [1.8K]  HAFNIUMUmServiceSuspiciousFile.yaml
│   │   └── [ 181]  Nishang Invoke-PowerShellTcpOneLine in Windows Event Logging
│   ├── [4.0K]  Microsoft-Defender
│   │   ├── [ 153]  Generic Microsoft Defender AV Queries
│   │   ├── [  77]  Microsoft Defender AV Queries
│   │   ├── [ 250]  UMWorkerProcess.exe in Exchange creating abnormal content
│   │   └── [ 146]  UMWorkerProcess.exe spawning
│   └── [ 209]  README.md
├── [1.4K]  Tweets.md
└── [4.0K]  vendor-security-research
    ├── [ 865]  Cisco-Talos.md
    ├── [ 13K]  Fireeye.md
    ├── [   0]  Mandiant-Managed-Defense.md
    ├── [   0]  Nextron-Systems.md
    ├── [ 276]  README.md
    ├── [   0]  Recon-Infosec.md
    ├── [ 20K]  Red-Canary.md
    └── [ 18K]  Volexity.md

9 directories, 38 files
Shenlong Bot has cached this for you
Remarks
    1. It is advised to access via the original source first.
    2. Local POC snapshots are reserved for subscribers — if the original source is unavailable, the local mirror is part of the paid plan.
    3. Mirroring, verifying, and maintaining this POC archive takes ongoing effort, so local snapshots are a paid feature. Your subscription keeps the archive online — thank you for the support. View subscription plans →