ThreatLevelBeta
Planned Fix

CVE-2021-26857

Remote Code Execution in Microsoft Exchange Server
Loading...

Summary

Microsoft Exchange Server's Unified Messaging service contains an insecure deserialization flaw. An attacker needs Exchange administrator access or a chained Exchange weakness to reach the vulnerable code path, then feeds crafted serialized input to the UM worker process. Successful exploitation runs code as SYSTEM and was part of the ProxyLogon campaign against on-premises Exchange servers.

Why Planned Fix?

4/6
Authentication required
Commonly internet-facing deployment
User interaction needed
Exploitable in default configuration
Active exploitation in the wild
High impact vulnerability

Exploitation Details

Type
RCE (Remote Code Execution)
Is exploitable with default configuration?
Yes
Is authentication needed?
Yes
PoC / Exploit
Yes
github.com
Impact

Run code as SYSTEM on the Exchange server.

RCE (Remote Code Execution)
Exploitation Requirements
  • Authentication required
Exploitation Process

An attacker first reaches the Exchange server and either already has the required Exchange administrative access or chains another Exchange flaw to get there. They then send crafted serialized data that is processed by the Unified Messaging service, causing UMWorkerProcess to deserialize attacker-controlled content and execute attacker code. Successful exploitation is typically followed by abnormal UM worker behavior, unexpected child processes, or post-exploitation web shell deployment.

Detection Resources
Manual Detection
microsoft.commicrosoft.com
2
Script Detection
github.com
1
Scanner Detection
Tenable Nessus
1

Affected Software

Vendor:Microsoft
ProductAffected Versions
Microsoft Exchange Server2010 Service Pack 3; 2013 Service Pack 1 and Cumulative Update 22 through 23; 2016 Cumulative Update 8 through 19; 2019 RTM and Cumulative Update 1 through 8
Description

On-premises email, calendaring, and messaging server software used by organizations to host mailboxes, transport mail, and provide Outlook and webmail access.

Deployment:Commonly internet-facing
|
Protocol:HTTPS
|
Ports:443
Affected ComponentUnified Messaging service deserialization in the Exchange UM worker process.

Unified Messaging service deserialization in the Exchange UM worker process.

Enterprise UsageEstimated likelihood that this vendor/product is deployed in enterprise environments. AI-generated estimation based on market presence, product type and adoption signals — not exact data.
Very Low
Low
Medium
High
Very High
Vendor Size:Big
Remediation
Workaround
Temporarily disable Unified Messaging services using Microsoft mitigation guidance or ExchangeMitigations/EOMT until patching is complete; this can disrupt voicemail and monitoring services.

Temporarily disable Unified Messaging services using Microsoft mitigation guidance or ExchangeMitigations/EOMT until patching is complete; this can disrupt voicemail and monitoring services.

www.microsoft.com
Patch

Not available

Update
Install the March 2, 2021 Exchange Server security updates: KB5000871 for Exchange 2013/2016/2019 and KB5000978 for Exchange 2010 SP3. If the server is on an older CU/RU, update to a supported build first, then apply the security update.

Install the March 2, 2021 Exchange Server security updates: KB5000871 for Exchange 2013/2016/2019 and KB5000978 for Exchange 2010 SP3. If the server is on an older CU/RU, update to a supported build first, then apply the security update.

techcommunity.microsoft.com
Threat Intelligence
EPSS Score41.0%

Probability of exploitation in the next 30 days

EPSS Percentile97%

Worse than 97% of all CVEs

Last updated: Loading...
CISAKEV
CISA KEV
Listed
Loading...
Active Exploitation
Active
microsoft.com
Threat Actors1
HAFNIUM

state-sponsored group operating out of China that targeted U.S. organizations and used ProxyLogon exploits against on-premises Exchange servers

Detection Rules2
KQL
DeviceProcessEvents | where InitiatingProcessFileName == 'UMWorkerProcess.exe' | where FileName !in ('wermgr.exe','WerFault.exe')
Other
Get-EventLog -LogName Application -Source 'MSExchange Unified Messaging' -EntryType Error | Where-Object { $_.Message -like '*System.InvalidCastException*' }

NVD Data

Published: Loading...Modified: Loading...

Description Summary

Microsoft Exchange Server Remote Code Execution Vulnerability

CVSS Base Score

7.8
High

CVSS Vector (CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H)

Attack Vector (AV)
Physical
Local
Adjacent
Network
Attack Complexity (AC)
High
Low
Privileges Required (PR)
High
Low
None
User Interaction (UI)
Required
None
Scope (S)
Unchanged
Changed
Confidentiality (C)
None
Low
High
Integrity (I)
None
Low
High
Availability (A)
None
Low
High
CWE:CWE-502 Deserialization of Untrusted DataCWE-502 Deserialization of Untrusted Data
|
NVD:CVE-2021-26857
|
Version From:
|
Version Upto:

Affected Software (CPE) (25)

  • cpe:2.3:a:microsoft:exchange_server:2010:sp3:*:*:*:*:*:*
  • cpe:2.3:a:microsoft:exchange_server:2013:cumulative_update_22:*:*:*:*:*:*
  • cpe:2.3:a:microsoft:exchange_server:2013:cumulative_update_23:*:*:*:*:*:*
  • cpe:2.3:a:microsoft:exchange_server:2013:sp1:*:*:*:*:*:*
  • cpe:2.3:a:microsoft:exchange_server:2016:cumulative_update_10:*:*:*:*:*:*
  • cpe:2.3:a:microsoft:exchange_server:2016:cumulative_update_11:*:*:*:*:*:*
  • cpe:2.3:a:microsoft:exchange_server:2016:cumulative_update_12:*:*:*:*:*:*
  • cpe:2.3:a:microsoft:exchange_server:2016:cumulative_update_13:*:*:*:*:*:*
  • cpe:2.3:a:microsoft:exchange_server:2016:cumulative_update_14:*:*:*:*:*:*
  • cpe:2.3:a:microsoft:exchange_server:2016:cumulative_update_15:*:*:*:*:*:*
  • cpe:2.3:a:microsoft:exchange_server:2016:cumulative_update_16:*:*:*:*:*:*
  • cpe:2.3:a:microsoft:exchange_server:2016:cumulative_update_17:*:*:*:*:*:*
  • cpe:2.3:a:microsoft:exchange_server:2016:cumulative_update_18:*:*:*:*:*:*
  • cpe:2.3:a:microsoft:exchange_server:2016:cumulative_update_19:*:*:*:*:*:*
  • cpe:2.3:a:microsoft:exchange_server:2016:cumulative_update_8:*:*:*:*:*:*
  • cpe:2.3:a:microsoft:exchange_server:2016:cumulative_update_9:*:*:*:*:*:*
  • cpe:2.3:a:microsoft:exchange_server:2019:-:*:*:*:*:*:*
  • cpe:2.3:a:microsoft:exchange_server:2019:cumulative_update_1:*:*:*:*:*:*
  • cpe:2.3:a:microsoft:exchange_server:2019:cumulative_update_2:*:*:*:*:*:*
  • cpe:2.3:a:microsoft:exchange_server:2019:cumulative_update_3:*:*:*:*:*:*
  • cpe:2.3:a:microsoft:exchange_server:2019:cumulative_update_4:*:*:*:*:*:*
  • cpe:2.3:a:microsoft:exchange_server:2019:cumulative_update_5:*:*:*:*:*:*
  • cpe:2.3:a:microsoft:exchange_server:2019:cumulative_update_6:*:*:*:*:*:*
  • cpe:2.3:a:microsoft:exchange_server:2019:cumulative_update_7:*:*:*:*:*:*
  • cpe:2.3:a:microsoft:exchange_server:2019:cumulative_update_8:*:*:*:*:*:*

Sources

11
SourceArticle
nvd.nist.govCVE-2021-26857 Detail
www.microsoft.comHAFNIUM targeting Exchange Servers with 0-day exploits
www.microsoft.comGuidance for responders: Investigating and remediating on-premises Exchange Server vulnerabilities
www.microsoft.comMicrosoft Exchange Server Vulnerabilities Mitigations - updated March 15, 2021
techcommunity.microsoft.comReleased: March 2021 Exchange Server Security Updates
support.microsoft.comDescription of the security update for Microsoft Exchange Server 2019, 2016, and 2013: March 2, 2021 (KB5000871)
support.microsoft.comDescription of the security update for Microsoft Exchange Server 2010 Service Pack 3: March 2, 2021 (KB5000978)
github.comSecurity scripts
cisa.govKnown Exploited Vulnerabilities Catalog
tenable.comCVE-2021-26857
github.comProxyLogon Full Exploit Chain PoC

Priority History

Planned FixLoading...

Initial analysis