Potential exposure to Hafnium Microsoft Exchange targeting

high Nessus Plugin ID 147193
New! Plugin Severity Now Using CVSS v3

The calculated severity for Plugins has been updated to use CVSS v3 by default. Plugins that do not have a CVSS v3 score will fall back to CVSS v2 for calculating severity. Severity display preferences can be toggled in the settings dropdown.


Detects potential IOCs for Hafnium


This plugin detects the potential presence of a web shell in selected directories and this can be indicative that the host might have been targeted in the Hafnium campaign. It is recommended that the results are manually verified and appropriate remediation actions taken.

Note that Nessus has not tested for this issue but has instead looked for .aspx files that could potentially indicate compromise.


Microsoft has released security updates KB5000978 and KB5000871 to address this issue

See Also



Plugin Details

Severity: High

ID: 147193

File Name: hafnium_ioc_detect.nbin

Version: 1.19

Type: local

Agent: windows

Family: Windows

Published: 3/8/2021

Updated: 10/4/2021

Dependencies: microsoft_exchange_installed.nbin

Risk Information

CVSS Score Source: CVE-2021-27065


Risk Factor: Critical

Score: 9.9


Risk Factor: Medium

Base Score: 6.8

Temporal Score: 5.9

Vector: AV:N/AC:M/Au:N/C:P/I:P/A:P

Temporal Vector: E:H/RL:OF/RC:C


Risk Factor: High

Base Score: 7.8

Temporal Score: 7.5

Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Temporal Vector: E:H/RL:O/RC:C

Vulnerability Information

CPE: cpe:/a:microsoft:exchange_server

Required KB Items: installed_sw/Microsoft Exchange, SMB/Registry/Enumerated

Exploit Available: true

Exploit Ease: Exploits are available

Patch Publication Date: 3/2/2021

Vulnerability Publication Date: 3/2/2021

Exploitable With

Metasploit (Microsoft Exchange ProxyLogon RCE)

Reference Information

CVE: CVE-2021-26857, CVE-2021-26858, CVE-2021-27065