CVE-2021-26855: Microsoft Exchange Server Remote Code Execution Vulnerability

Overview

Severity: Critical (CVSS 9.1)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N/E:F/RL:O/RC:C
Category: Remote Code Execution
Exploit Status: Actively Exploited
Exploitation Likelihood: Detected
Patch Tuesday: 2021-Mar
Released: 2021-03-02
Last Updated: 2021-03-16
EPSS Score: 93.97% (percentile: 99.9%)
CISA KEV: Listed — due 2022-05-03

FAQ

Is this vulnerability being used in an active attack? Yes. The vulnerability described in this CVE is one of four vulnerabilities that are being exploited in an active attack. The security updates address this attack. More information can be found here: https://msrc-blog.microsoft.com/2021/03/02/multiple-security-updates-released-for-exchange-server. What is the target for this attack? The initial attack in this attack chain targets an Exchange On-prem server that is able to receive untrusted connections from an external source. In addition, the Exchange server would need to be running Microsoft Exchange Server 2013, 2016, or 2019. Where can I get more information about how to protect myself from the vulnerabilities? Please see On-Premises Exchange Server Vulnerabilities Resource Center – updated March 25, 2021. If I install the Security Updates for the older Cumulative Updates, am I fully protected from vulnerabilities for all published CVEs? No, you will be protected from the vulnerabilities documented by CVE-2021-27065, CVE-2021-26855, CVE-2021-26857, CVE-2021-26858. You will not be protected from some previous CVEs as shown in the table below. Yes: the system is protected from the vulnerability. No: the system is not protected from the vulnerability. Microsoft Exchange Server 2019 Date Released Severity CVE ES 2019 CU8 ES 2019 CU7 ES 2019 CU6 ES 2019 CU5 ES 2019 CU4 ES 2019 CU3 ES 2019 CU2 ES 2019 CU1 ES 2019 8/14/2018 Critical CVE-2018-8302 Yes Yes Yes Yes Yes Yes Yes Yes No 10/9/2018 Important CVE-2018-8448 Yes Yes Yes Yes Yes Yes Yes Yes No 11/13/2018 Important CVE-2018-8581 Yes Yes Yes Yes Yes Yes Yes No No 12/11/2018 Important CVE-2018-8604 Yes Yes Yes Yes Yes Yes Yes No No 1/8/2019 Important CVE-2019-0586 Yes Yes Yes Yes Yes Yes Yes No No 1/8/2019 Important CVE-2019-0588 Yes Yes Yes Yes Yes Yes Yes No No 2/12/2019 Important CVE-2019-0686 Yes Yes Yes Yes Yes Yes Yes No No 2/12/2019 Important CVE-2019-0724 Yes Yes Yes Yes Yes Yes Y

Known Exploits (35)

Microsoft Exchange Server Remote Code Execution Vulnerability — added 2025-12-04T07:11:00Z
Microsoft Exchange Server Remote Code Execution Vulnerability — added 2024-01-04T22:48:21Z
Microsoft Exchange Server Remote Code Execution Vulnerability — added 2023-04-23T22:26:45Z
Microsoft Exchange Server Remote Code Execution Vulnerability — added 2023-02-02T13:20:45Z
Microsoft Exchange Server Remote Code Execution Vulnerability — added 2022-06-27T08:07:48Z
Microsoft Exchange Server Remote Code Execution Vulnerability — added 2022-06-24T17:42:28Z
Microsoft Exchange Server Remote Code Execution Vulnerability — added 2022-04-02T23:57:02Z
Microsoft Exchange Server Remote Code Execution Vulnerability — added 2021-12-04T22:38:30Z
Microsoft Exchange Server Remote Code Execution Vulnerability — added 2021-04-14T11:12:30Z
Microsoft Exchange Server Remote Code Execution Vulnerability — added 2021-03-29T21:10:34Z
Microsoft Exchange Server Remote Code Execution Vulnerability — added 2021-03-24T01:12:48Z
Microsoft Exchange Server Remote Code Execution Vulnerability — added 2021-03-21T06:16:24Z
Microsoft Exchange Server Remote Code Execution Vulnerability — added 2021-03-18T10:45:54Z
Microsoft Exchange Server Remote Code Execution Vulnerability — added 2021-03-17T03:56:54Z
Microsoft Exchange Server Remote Code Execution Vulnerability — added 2021-03-17T03:32:19Z
Microsoft Exchange Server Remote Code Execution Vulnerability — added 2021-03-15T14:03:16Z
Microsoft Exchange Server Remote Code Execution Vulnerability — added 2021-03-15T12:33:04Z
Microsoft Exchange Server Remote Code Execution Vulnerability — added 2021-03-15T09:02:40Z
Microsoft Exchange Server Remote Code Execution Vulnerability — added 2021-03-14T22:57:21Z
Microsoft Exchange Server Remote Code Execution Vulnerability — added 2021-03-14T14:23:34Z

Detection & Weaponization (3 sources)

Maturity: Exploit

Metasploit modules: Microsoft Exchange ProxyLogon Collector, Microsoft Exchange ProxyLogon Scanner, Microsoft Exchange ProxyLogon RCE
Nuclei templates: Microsoft Exchange Server SSRF Vulnerability
GitHub PoC: 49 repositories

Affected Products (24)

Exchange Server

Microsoft Exchange Server 2016 Cumulative Update 19
Microsoft Exchange Server 2019 Cumulative Update 8
Microsoft Exchange Server 2019
Microsoft Exchange Server 2013 Cumulative Update 22
Microsoft Exchange Server 2019 Cumulative Update 2
Microsoft Exchange Server 2016 Cumulative Update 13
Microsoft Exchange Server 2013 Cumulative Update 23
Microsoft Exchange Server 2019 Cumulative Update 3
Microsoft Exchange Server 2016 Cumulative Update 14
Microsoft Exchange Server 2019 Cumulative Update 4
Microsoft Exchange Server 2016 Cumulative Update 15
Microsoft Exchange Server 2019 Cumulative Update 5
Microsoft Exchange Server 2019 Cumulative Update 6
Microsoft Exchange Server 2016 Cumulative Update 16
Microsoft Exchange Server 2016 Cumulative Update 17
Microsoft Exchange Server 2019 Cumulative Update 7
Microsoft Exchange Server 2016 Cumulative Update 18
Microsoft Exchange Server 2013 Cumulative Update 21
Microsoft Exchange Server 2016 Cumulative Update 12
Microsoft Exchange Server 2016 Cumulative Update 8
Microsoft Exchange Server 2019 Cumulative Update 1
Microsoft Exchange Server 2016 Cumulative Update 9
Microsoft Exchange Server 2016 Cumulative Update 10
Microsoft Exchange Server 2016 Cumulative Update 11

Security Updates (24)

Acknowledgments

Microsoft Threat Intelligence Center (MSTIC), <a href="https://twitter.com/orange_8361">Orange Tsai</a> from <a href="https://devco.re/">DEVCORE</a> research team, Volexity

Revision History

2021-03-02: Information published.
2021-03-02: Updated one or more CVSS scores for the affected products. This is an informational change only.
2021-03-08: Microsoft is releasing security updates for CVE-2021-27065, CVE-2021-26855, CVE-2021-26857, and CVE-2021-26858 for several Cumulative Updates that are out of support, including Exchange Server 2019 CU 6, CU 5, and CU 4 and Exchange Server 2016 CU 16, CU 15, and CU14. These updates address only those CVEs. Customers who want to be protected from these vulnerabilities can apply these updates if they are not on a supported cumulative update. Microsoft strongly recommends that customers update to the latest supported cumulative updates.
2021-03-10: Microsoft is releasing security updates for CVE-2021-27065, CVE-2021-26855, CVE-2021-26857, and CVE-2021-26858 for several Cumulative Updates that are out of support, including Exchange Server 2019 CU 3; and Exchange Server 2016 CU 17, CU 13, CU12; and Exchange Server 2013 CU 22, CU 21. These updates address only those CVEs. Customers who want to be protected from these vulnerabilities can apply these updates if they are not on a supported cumulative update. Microsoft strongly recommends that customers update to the latest supported cumulative updates.
2021-03-11: Microsoft is releasing the final set of security updates for CVE-2021-27065, CVE-2021-26855, CVE-2021-26857, and CVE-2021-26858 for several Cumulative Updates that are out of support, including Exchange Server 2019, CU1 and CU2; and Exchange Server 2016 CU 8, CU 9, CU10, and CU11. These updates address only those CVEs. Customers who want to be protected from these vulnerabilities can apply these updates if they are not Exchange Server on a supported cumulative update. Microsoft strongly recommends that customers update to the latest supported cumulative updates.
2021-03-16: Microsoft is releasing a security update for CVE-2021-27065, CVE-2021-26855, CVE-2021-26857, and CVE-2021-26858 for Microsoft Exchange Server 2013 Service Pack 1. This update addresses only those CVEs. Customers who want to be protected from these vulnerabilities can apply this update if they are not on a supported cumulative update. Microsoft strongly recommends that customers update to the latest supported cumulative updates.