[KB7855] Does ESET protect me from the Hafnium zero-day exploit in Microsoft Exchange?



Click to expand

After exploiting vulnerabilities to gain initial access, HAFNIUM operators deployed web shells on the compromised server. Web shells potentially allow attackers to steal data and perform additional malicious actions that lead to further compromise.

For more details, see ESET Customer Advisory.


ESET software can detect and block the web shell used for remote code execution.

The detection for the web shells and backdoors used within this attack chain appears as:

  • JS/Exploit.CVE-2021-26855.Webshell.A
  • JS/Exploit.CVE-2021-26855.Webshell.B
  • ASP/Webshell
  • ASP/ReGeorg

The Microsoft Exchange server remote code execution vulnerabilities are:

Install the Microsoft security patch

ESET strongly advises installing the Microsoft security update immediately.

See Microsoft's article for details on how to install the security update.

See more technical information and attack details on HAFNIUM.

To ensure the highest level of security, we recommend that you are always on the latest version of your ESET product: Check for the latest version of your ESET business products

Keep ESET LiveGrid enabled

In some cases, your ESET product with ESET LiveGrid enabled may respond faster to new threats than modules updates.

Learn more about ESET LiveGrid and make sure it is enabled in your ESET product.

Minimize the risk of malware attack

What can I do to minimize the risk of a malware attack?

  • Back up your important data 
  • Do not change default settings
  • Download security patches

WeLiveSecurity blog post

To learn more about how you can protect your system from this exploit, we recommend that you read the following ESET blog post:

To see a list of all ESET security articles related to zero-day attacks, see zero-day attacks