CVE-2021-31206: Microsoft Exchange Server Remote Code Execution Vulnerability

Overview

Severity

High (CVSS 7.6)

CVSS Vector

CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:L/A:L/E:F/RL:O/RC:C

Category

Remote Code Execution

Exploit Status

Not Exploited

Exploitation Likelihood

Less Likely

Patch Tuesday

2021-Jul

Released

2021-07-13

EPSS Score

8.71% (percentile: 92.5%)

FAQ

Was this vulnerability found in the 2021 Pwn2Own contest? Yes, this was one of the Exchange Server vulnerabilities found in the 2021 Pwn2Own contest.

Affected Products (5)

Exchange Server

• Microsoft Exchange Server 2019 Cumulative Update 9
• Microsoft Exchange Server 2016 Cumulative Update 20
• Microsoft Exchange Server 2013 Cumulative Update 23
• Microsoft Exchange Server 2016 Cumulative Update 21
• Microsoft Exchange Server 2019 Cumulative Update 10

Security Updates (5)

• 5004780
• 5004779
• 5004778
• 5004779
• 5004780

Acknowledgments

Steven Seeley (mr_me) of Source Incite working with Trend Micro Zero Day Initiative

Revision History

• 2021-07-13: Information published.