On Sunday, Security researcher Axel Souchet released a PoC exploit for the newly disclosed IIS vulnerability tracked as CVE-2021-31166. Currently, the exploit only causes the operating system to crash. The IIS bug was disclosed and patched in the May 2021 Patch Tuesday and is a memory corruption vulnerability in the HTTP protocol stack included with recent Windows versions (Windows 10 2004 and 20H2). The bug is considered wormable due to how IIS operates and is exposed to an attacker, which pushes the CVSS score to 9.8. As previously mentioned, a patch is available and, Microsoft recommends “prioritizing the patching of affected servers.”
This vulnerability sets itself apart due to the versions of Windows affected. In many cases, organizations won’t be affected if they are not using new versions of Windows servers. However, if companies have affected versions of IIS running internally or in their DMZ, now is the time to patch. With a POC already released, the time from research to exploit is greatly reduced. Ingesting logs from IIS servers can offer insight when more information about how to detect exploitation becomes available.