CVE-2021-42321: Microsoft Exchange Server Remote Code Execution Vulnerability
Overview
- Severity
- High (CVSS 8.8)
- CVSS Vector
- CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
- Category
- Remote Code Execution
- Exploit Status
- Actively Exploited
- Exploitation Likelihood
- Detected
- Patch Tuesday
- 2021-Nov
- Released
- 2021-11-09
- Last Updated
- 2022-06-21
- EPSS Score
- 93.62% (percentile: 99.8%)
- CISA KEV
- Listed — due 2021-12-01
FAQ
Where can I find more information about this vulnerability?
Please see Exchange Blog regarding the details of this Exchange release.
According to the CVSS metric, privileges required is low (PR:L). Does the attacker need to be in an authenticated role on the Exchange Server?
Yes, the attacker must be authenticated.
Known Exploits (3)
- Microsoft Exchange Server Remote Code Execution Vulnerability — added 2021-11-27T13:32:32Z
- Microsoft Exchange Server Remote Code Execution Vulnerability — added 2021-11-23T11:33:37+08:00
- Microsoft Exchange Server Remote Code Execution Vulnerability — added 2021-11-23T02:26:26Z
Detection & Weaponization (4 sources)
Maturity: Detection
- Metasploit modules: Microsoft Exchange Server ChainedSerializationBinder RCE
- Sigma rules: Possible Exploitation of Exchange RCE CVE-2021-42321
- YARA rules: ARKBIRD_SOLG_EXP_CVE_2021_42321_Nov_2021_1
- GitHub PoC: 2 repositories
Affected Products (4)
Server Software
- Microsoft Exchange Server 2016 Cumulative Update 21
- Microsoft Exchange Server 2019 Cumulative Update 10
- Microsoft Exchange Server 2016 Cumulative Update 22
- Microsoft Exchange Server 2019 Cumulative Update 11
Security Updates (4)
Acknowledgments
zcgonvh @ 360 noah lab, Yuhao Weng & Zhiniang Peng & Feng Dong with <a href="https://www.sangfor.com/">Sangfor</a>, Microsoft Threat Intelligence Center (MSTIC), Microsoft Security Response Center
Revision History
- 2021-11-09: Information published.
- 2021-11-16: Added Microsoft Exchange Server 2013 to the Security Updates table. Customers that are using this version of Microsoft Exchange should install this update to be protected from this vulnerability.
- 2021-11-17: Removed Exchange Server 2013 from the Security Updates table as it is not affected by this vulnerability.
- 2021-12-06: Updated acknowledgment. This is an informational change only.
- 2022-06-21: Updated acknowledgment. This is an informational change only.