Team: Huntress EDR
Product: Exchange Patch Management, Webshells, ProxyLogon, ProxyShell
Environment: Exchange Server
Summary: Exchange servers are highly targeted and often prone to attack. We recommend regular patching to ensure vulnerabilities are addressed as soon as possible.
I received an Exchange report but I've already patched? How is this possible?
You may have received an Exchange report from us, these are valid and likely not false positives.
UPDATE 8/24: Our researchers are finding some hidden webshells on some end points and we are sending out reports--even with the latest patches. Remember the patches prevent or remove new webshells from being dropped on a machine. It does not prevent an existing web shell from being executed.
There are new vulnerabilities identified after the "ProxyLogon" vulnerabilities and requires a more recent patch--15.01.2176.014+ for Exchange 2019 and 15.01.2242.010+ for Exchange 2016.
More information here: Exchange Report - ProxyShell