CVE-2021-31207: Microsoft Exchange Server Security Feature Bypass Vulnerability
Overview
- Severity
- Medium (CVSS 6.6)
- CVSS Vector
- CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
- Category
- Security Feature Bypass
- Exploit Status
- Not Exploited
- Exploitation Likelihood
- Less Likely
- Publicly Disclosed
- Yes
- Patch Tuesday
- 2021-May
- Released
- 2021-05-11
- Last Updated
- 2023-10-26
- EPSS Score
- 93.84% (percentile: 99.9%)
- CISA KEV
- Listed — due 2021-11-17
FAQ
Was this vulnerability found in the 2021 Pwn2Own contest?
Yes, this was one of the Exchange Server vulnerabilities found in the 2021 Pwn2Own contest.
According to the CVSS metric, the attack complexity is high (AC:H). What does that mean for this vulnerability?
Successful exploitation of this vulnerability requires an attacker to take additional actions prior to exploitation to prepare the target environment.
Known Exploits (6)
- Microsoft Exchange Server Security Feature Bypass Vulnerability — added 2021-09-04T15:34:03Z
- Microsoft Exchange Server Security Feature Bypass Vulnerability — added 2021-08-18T20:11:27Z
- Microsoft Exchange Server Security Feature Bypass Vulnerability — added 2021-08-16T17:59:41Z
- Microsoft Exchange Server Security Feature Bypass Vulnerability — added 2021-08-13T14:45:38Z
- Microsoft Exchange Server Security Feature Bypass Vulnerability — added 2021-08-13T09:38:21Z
- Microsoft Exchange Server Security Feature Bypass Vulnerability — added 2021-08-10T15:01:02Z
Detection & Weaponization (1 sources)
Maturity: Exploit
- Metasploit modules: Microsoft Exchange ProxyShell RCE
Affected Products (5)
Exchange Server
- Microsoft Exchange Server 2013 Cumulative Update 23
- Microsoft Exchange Server 2019 Cumulative Update 9
- Microsoft Exchange Server 2016 Cumulative Update 20
- Microsoft Exchange Server 2016 Cumulative Update 19
- Microsoft Exchange Server 2019 Cumulative Update 8
Security Updates (5)
Acknowledgments
Orange Tsai(@orange_8361) from DEVCORE Research Team working with <a href="https://www.zerodayinitiative.com/">Trend Micro Zero Day Initiative</a>
Revision History
- 2021-05-11: Information published.
- 2023-10-26: Added an FAQ. This is an information change only.