CVE-2021-33766: Microsoft Exchange Server Information Disclosure Vulnerability
Overview
- Severity
- High (CVSS 7.3)
- CVSS Vector
- CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:U/RL:O/RC:C
- Category
- Information Disclosure
- Exploit Status
- Not Exploited
- Exploitation Likelihood
- Less Likely
- Patch Tuesday
- 2021-Jul
- Released
- 2021-07-13
- EPSS Score
- 93.61% (percentile: 99.8%)
- CISA KEV
- Listed — due 2022-02-01
FAQ
What type of information could be disclosed by this vulnerability?
The type of information that could be disclosed if an attacker successfully exploited this vulnerability is Personally Identifiable Information (PII).
Known Exploits (2)
- Microsoft Exchange Server Information Disclosure — added 2021-09-15T09:09:20Z
- Microsoft Exchange Server Information Disclosure — added 2021-08-31T22:03:13Z
Detection & Weaponization (4 sources)
Maturity: Detection
- Nuclei templates: Microsoft Exchange - Authentication Bypass
- Sigma rules: CVE-2021-33766 Exchange ProxyToken Exploitation
- YARA rules: exploit_cve_2021_33766_proxytoken.yar, SIGNATURE_BASE_LOG_EXPL_Proxytoken_Exploitation_Aug21_1
- GitHub PoC: 2 repositories
Affected Products (5)
Exchange Server
- Microsoft Exchange Server 2019 Cumulative Update 9
- Microsoft Exchange Server 2016 Cumulative Update 20
- Microsoft Exchange Server 2013 Cumulative Update 23
- Microsoft Exchange Server 2016 Cumulative Update 19
- Microsoft Exchange Server 2019 Cumulative Update 8
Security Updates (5)
Acknowledgments
LE XUAN TUYEN - VNPT ISC working with Trend Micro Zero Day Initiative
Revision History
- 2021-07-13: Information published. This CVE was addressed by updates that were released in April 2021, but the CVE was inadvertently omitted from the April 2021 Security Updates. This is an informational change only. Customers who have already installed the April 2021 update do not need to take any further action.