https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-27065

http://packetstormsecurity.com/files/161938/Microsoft-Exchange-ProxyLogon-Remote-Code-Execution.html

http://packetstormsecurity.com/files/162736/Microsoft-Exchange-ProxyLogon-Collector.html

This plugin detects the potential presence of a web shell in selected directories and this can be indicative that the host might have been targeted in the Hafnium campaign. It is recommended that the results are manually verified and appropriate remediation actions taken.

Note that Nessus has not tested for this issue but has instead looked for .aspx files that could potentially indicate compromise.

The Microsoft Exchange Server installed on the remote host is missing security updates. It is, therefore, affected by multiple vulnerabilities:

  - A remote code execution vulnerability. An attacker could exploit this to   execute unauthorized arbitrary code. (CVE-2021-26412, CVE-2021-26854,   CVE-2021-26855, CVE-2021-26857, CVE-2021-26858, CVE-2021-27065,   CVE-2021-27078)

ID	Name	Product	Family	Severity
147193	Potential exposure to Hafnium Microsoft Exchange targeting	Nessus	Windows	high
147003	Security Updates for Microsoft Exchange Server (March 2021)	Nessus	Windows : Microsoft Bulletins	critical

CVE-2021-27065

high

Tenable Plugins

high

critical