ThreatLevelBeta
Emergency Fix

CVE-2021-26855

Server-Side Request Forgery in Microsoft Exchange Server
Loading...

Summary

Microsoft Exchange Server's front-end HTTP proxy contains a server-side request forgery flaw. An unauthenticated attacker can craft cookies and requests that make Exchange relay HTTP traffic to internal backend endpoints as the Exchange server itself. This was the initial ProxyLogon primitive used to reach authenticated Exchange functionality, expose mailbox data, and enable full server compromise when chained with related bugs.

Why Emergency Fix?

6/6
No authentication required
Commonly internet-facing deployment
No user interaction needed
Exploitable in default configuration
Active exploitation in the wild
High impact vulnerability

Exploitation Details

Type
SSRF (Server-Side Request Forgery)
Is exploitable with default configuration?
Yes
Is authentication needed?
No
PoC / Exploit
Yes
github.com
Impact

Reach internal Exchange endpoints as the server and enable full server compromise in the ProxyLogon chain.

Full System Compromise
Exploitation Requirements

None — vulnerable in default configuration

Exploitation Process

The attacker sends a crafted HTTPS request to a front-end Exchange path such as /ecp/favicon.ico or /autodiscover/autodiscover.xml and supplies a malicious X-BEResource or X-AnonResource-Backend cookie. Exchange's HttpProxy layer interprets that cookie as a backend target and proxies the request to an internal Exchange endpoint over Kerberos as the server. The attacker then reads the backend response or follows up against /ecp/proxyLogon.ecp and related resources to obtain trusted access and continue the ProxyLogon chain.

Detection Resources
Manual Detection
microsoft.commicrosoft.com
2
Script Detection
github.comgist.github.com
2
Scanner Detection
Tenable Nessus
1

Affected Software

Vendor:Microsoft
ProductAffected Versions
Microsoft Exchange Server2010, 2013, 2016, and 2019 before KB5000871
Description

Microsoft Exchange Server is an on-premises email and calendaring platform that hosts mailboxes, routes mail, and provides web access for Outlook and administrative management in enterprise environments.

Deployment:Commonly internet-facing
|
Protocol:HTTPS
|
Ports:443, 80
Affected ComponentFront-end HttpProxy request routing in Exchange web services, especially ECP and Autodiscover proxy handling via the X-BEResource and related cookies.

Front-end HttpProxy request routing in Exchange web services, especially ECP and Autodiscover proxy handling via the X-BEResource and related cookies.

Affected Endpoints(4)/ecp/favicon.ico, /ecp/proxyLogon.ecp…
1./ecp/favicon.ico
2./ecp/proxyLogon.ecp
3./autodiscover/autodiscover.xml
4./ecp/default.flt
Enterprise UsageEstimated likelihood that this vendor/product is deployed in enterprise environments. AI-generated estimation based on market presence, product type and adoption signals — not exact data.
Very Low
Low
Medium
High
Very High
Vendor Size:Big
Remediation
Workaround
Temporarily filter malicious X-AnonResource-Backend and X-BEResource requests with IIS URL Rewrite, or disable Unified Messaging, ECP, and OAB virtual directories until patched.

Temporarily filter malicious X-AnonResource-Backend and X-BEResource requests with IIS URL Rewrite, or disable Unified Messaging, ECP, and OAB virtual directories until patched.

www.microsoft.com
Patch
Install the March 2, 2021 Exchange security update KB5000871 for your supported cumulative update.

Install the March 2, 2021 Exchange security update KB5000871 for your supported cumulative update.

support.microsoft.com
Update

Not available

Threat Intelligence
EPSS Score94.4%

Probability of exploitation in the next 30 days

EPSS Percentile100%

Worse than 100% of all CVEs

Last updated: Loading...
CISAKEV
CISA KEV
Listed
Loading...
Active Exploitation
Active
microsoft.com
Threat Actors1
HAFNIUM

China-based state-sponsored group targeting on-premises Exchange servers for initial access, mailbox access, and persistence

Detection Rules3
Other
HttpProxy logs: empty AuthenticatedUser and AnchorMailbox like ServerInfo~*/*
Other
Requests with malicious X-BEResource or X-AnonResource-Backend cookies to Exchange web paths
Snort
SERVER-WEBAPP Microsoft Exchange Server server side request forgery attempt

NVD Data

Published: Loading...Modified: Loading...

Description Summary

Microsoft Exchange Server Remote Code Execution Vulnerability

CVSS Base Score

9.1
Critical

CVSS Vector (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N)

Attack Vector (AV)
Physical
Local
Adjacent
Network
Attack Complexity (AC)
High
Low
Privileges Required (PR)
High
Low
None
User Interaction (UI)
Required
None
Scope (S)
Unchanged
Changed
Confidentiality (C)
None
Low
High
Integrity (I)
None
Low
High
Availability (A)
None
Low
High
CWE:CWE-918 Server-Side Request Forgery (SSRF)CWE-918 Server-Side Request Forgery (SSRF)
|
NVD:CVE-2021-26855
|
Version From:
|
Version Upto:

Affected Software (CPE) (24)

  • cpe:2.3:a:microsoft:exchange_server:2013:cumulative_update_21:*:*:*:*:*:*
  • cpe:2.3:a:microsoft:exchange_server:2013:cumulative_update_22:*:*:*:*:*:*
  • cpe:2.3:a:microsoft:exchange_server:2013:cumulative_update_23:*:*:*:*:*:*
  • cpe:2.3:a:microsoft:exchange_server:2016:cumulative_update_10:*:*:*:*:*:*
  • cpe:2.3:a:microsoft:exchange_server:2016:cumulative_update_11:*:*:*:*:*:*
  • cpe:2.3:a:microsoft:exchange_server:2016:cumulative_update_12:*:*:*:*:*:*
  • cpe:2.3:a:microsoft:exchange_server:2016:cumulative_update_13:*:*:*:*:*:*
  • cpe:2.3:a:microsoft:exchange_server:2016:cumulative_update_14:*:*:*:*:*:*
  • cpe:2.3:a:microsoft:exchange_server:2016:cumulative_update_15:*:*:*:*:*:*
  • cpe:2.3:a:microsoft:exchange_server:2016:cumulative_update_16:*:*:*:*:*:*
  • cpe:2.3:a:microsoft:exchange_server:2016:cumulative_update_17:*:*:*:*:*:*
  • cpe:2.3:a:microsoft:exchange_server:2016:cumulative_update_18:*:*:*:*:*:*
  • cpe:2.3:a:microsoft:exchange_server:2016:cumulative_update_19:*:*:*:*:*:*
  • cpe:2.3:a:microsoft:exchange_server:2016:cumulative_update_8:*:*:*:*:*:*
  • cpe:2.3:a:microsoft:exchange_server:2016:cumulative_update_9:*:*:*:*:*:*
  • cpe:2.3:a:microsoft:exchange_server:2019:-:*:*:*:*:*:*
  • cpe:2.3:a:microsoft:exchange_server:2019:cumulative_update_1:*:*:*:*:*:*
  • cpe:2.3:a:microsoft:exchange_server:2019:cumulative_update_2:*:*:*:*:*:*
  • cpe:2.3:a:microsoft:exchange_server:2019:cumulative_update_3:*:*:*:*:*:*
  • cpe:2.3:a:microsoft:exchange_server:2019:cumulative_update_4:*:*:*:*:*:*
  • cpe:2.3:a:microsoft:exchange_server:2019:cumulative_update_5:*:*:*:*:*:*
  • cpe:2.3:a:microsoft:exchange_server:2019:cumulative_update_6:*:*:*:*:*:*
  • cpe:2.3:a:microsoft:exchange_server:2019:cumulative_update_7:*:*:*:*:*:*
  • cpe:2.3:a:microsoft:exchange_server:2019:cumulative_update_8:*:*:*:*:*:*

Sources

9
SourceArticle
support.microsoft.comDescription of the security update for Microsoft Exchange Server 2019, 2016, and 2013: March 2, 2021 (KB5000871)
www.microsoft.comHAFNIUM targeting Exchange Servers with 0-day exploits
msrc.microsoft.comGuidance for responders: Investigating and remediating on-premises Exchange Server vulnerabilities
googleprojectzero.github.ioCVE-2021-26855: Microsoft Exchange Server-Side Request Forgery
nvd.nist.govCVE-2021-26855 Detail
www.cisa.govKnown Exploited Vulnerabilities Catalog
github.comExchange Server support scripts - Security
www.snort.orgRule Document 1:57241
github.compraetorian-inc/proxylogon-exploit

Priority History

Emergency FixLoading...

Initial analysis