CVE-2021-34473: Microsoft Exchange Server Remote Code Execution Vulnerability
Overview
- Severity
- Critical (CVSS 9.1)
- CVSS Vector
- CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N/E:U/RL:O/RC:C
- Category
- Remote Code Execution
- Exploit Status
- Not Exploited
- Exploitation Likelihood
- More Likely
- Publicly Disclosed
- Yes
- Patch Tuesday
- 2021-Jul
- Released
- 2021-07-13
- EPSS Score
- 94.19% (percentile: 99.9%)
- CISA KEV
- Listed — due 2021-11-17
Known Exploits (11)
- Microsoft Exchange Server Remote Code Execution Vulnerability — added 2023-10-17T08:38:08Z
- Microsoft Exchange Server Remote Code Execution Vulnerability — added 2022-11-16T08:22:29Z
- Microsoft Exchange Server Remote Code Execution Vulnerability — added 2022-06-29T12:37:31Z
- Microsoft Exchange Server Remote Code Execution Vulnerability — added 2022-05-24T08:35:15Z
- Microsoft Exchange Server Remote Code Execution Vulnerability — added 2021-11-22T07:47:09Z
- Microsoft Exchange Server Remote Code Execution Vulnerability — added 2021-09-04T15:34:03Z
- Microsoft Exchange Server Remote Code Execution Vulnerability — added 2021-08-18T20:11:27Z
- Microsoft Exchange Server Remote Code Execution Vulnerability — added 2021-08-16T17:59:41Z
- Microsoft Exchange Server Remote Code Execution Vulnerability — added 2021-08-13T14:45:38Z
- Microsoft Exchange Server Remote Code Execution Vulnerability — added 2021-08-13T09:38:21Z
- Microsoft Exchange Server Remote Code Execution Vulnerability — added 2021-08-10T15:01:02Z
Detection & Weaponization (3 sources)
Maturity: Exploit
- Metasploit modules: Microsoft Exchange ProxyShell RCE
- Nuclei templates: Exchange Server - Remote Code Execution
- GitHub PoC: 8 repositories
Affected Products (5)
Exchange Server
- Microsoft Exchange Server 2013 Cumulative Update 23
- Microsoft Exchange Server 2019 Cumulative Update 9
- Microsoft Exchange Server 2016 Cumulative Update 20
- Microsoft Exchange Server 2016 Cumulative Update 19
- Microsoft Exchange Server 2019 Cumulative Update 8
Security Updates (5)
Acknowledgments
Orange Tsai(@orange_8361) from DEVCORE Research Team working with <a href="https://www.zerodayinitiative.com/">Trend Micro Zero Day Initiative</a>
Revision History
- 2021-07-13: Information published. This CVE was addressed by updates that were released in April 2021, but the CVE was inadvertently omitted from the April 2021 Security Updates. This is an informational change only. Customers who have already installed the April 2021 update do not need to take any further action.