ThreatLevelBeta
Planned Fix

CVE-2021-26858

Remote Code Execution in Microsoft Exchange Server
Loading...

Summary

Microsoft Exchange Server's on-premises OAB/file-write path lets an authenticated attacker write arbitrary files to the server. In the ProxyLogon chain, attackers can obtain that authenticated state by chaining CVE-2021-26855 or by using stolen Exchange admin credentials. Successful exploitation can place web shells or other payloads on disk and lead to remote code execution, persistence, and mailbox or data theft.

Why Planned Fix?

4/6
Authentication required
Commonly internet-facing deployment
User interaction needed
Exploitable in default configuration
Active exploitation in the wild
High impact vulnerability

Exploitation Details

Type
RCE (Remote Code Execution)
Is exploitable with default configuration?
Yes
Is authentication needed?
Yes
PoC / Exploit
No
Impact

Write arbitrary files to the Exchange server, enabling web-shell placement and remote code execution.

RCE (Remote Code Execution)
Exploitation Requirements
  • Authentication required
Exploitation Process

An attacker first gets authenticated access to the Exchange server, often by chaining CVE-2021-26855 or by using stolen admin credentials. They then abuse the vulnerable file-write handling to save a chosen file into a server path such as the OAB temp area or a web-accessible directory. After the file lands, they request it over HTTPS or trigger the uploaded payload to run commands on the server.

Detection Resources
Manual Detection
microsoft.commicrosoft.com
2
Script Detection
github.comgist.github.com
2
Scanner Detection
Tenable Nessus
1

Affected Software

Vendor:Microsoft
ProductAffected Versions
Microsoft Exchange ServerExchange Server 2010 SP3 or any SP3 RU; Exchange Server 2013 CU23; Exchange Server 2016 CU18/CU19; Exchange Server 2019 CU7/CU8
Description

On-premises email and calendaring server for enterprises, used for mailbox hosting, Outlook Web Access, and administrative management.

Deployment:Commonly internet-facing
|
Protocol:HTTPS
|
Ports:443
Affected ComponentOffline Address Book generation and file-write handling in on-premises Exchange Server.

Offline Address Book generation and file-write handling in on-premises Exchange Server.

Affected Endpoints(2)/oab/, /ecp/…
1./oab/
2./ecp/
Enterprise UsageEstimated likelihood that this vendor/product is deployed in enterprise environments. AI-generated estimation based on market presence, product type and adoption signals — not exact data.
Very Low
Low
Medium
High
Very High
Vendor Size:Big
Remediation
Workaround
As a temporary mitigation, use Microsoft's EOMT or ExchangeMitigations.ps1 to disable the ECP and OAB application pools/virtual directories until the server is patched.

As a temporary mitigation, use Microsoft's EOMT or ExchangeMitigations.ps1 to disable the ECP and OAB application pools/virtual directories until the server is patched.

msrc.microsoft.com
Patch

Not available

Update
Apply the March 2021 Exchange Server Security Updates. Supported fixed builds include Exchange 2013 CU23, Exchange 2016 CU18/CU19, and Exchange 2019 CU7/CU8; newer CU20/CU9 releases also contain the fixes.

Apply the March 2021 Exchange Server Security Updates. Supported fixed builds include Exchange 2013 CU23, Exchange 2016 CU18/CU19, and Exchange 2019 CU7/CU8; newer CU20/CU9 releases also contain the fixes.

techcommunity.microsoft.com
Threat Intelligence
EPSS Score74.5%

Probability of exploitation in the next 30 days

EPSS Percentile99%

Worse than 99% of all CVEs

Last updated: Loading...
CISAKEV
CISA KEV
Listed
Loading...
Active Exploitation
Active
microsoft.com
Threat Actors1
HAFNIUM

China-linked state-sponsored group targeting U.S. research, legal, higher education, defense, policy, and NGO sectors

Detection Rules2
Sigma
UMWorkerProcess.exe creating non-standard files
KQL
DeviceFileEvents | where InitiatingProcessFileName == "UMWorkerProcess.exe" | where FileName != "CacheCleanup.bin" and FileName != "cleanup.bin" and not(FileName endswith ".txt" or FileName endswith ".LOG" or FileName endswith ".cfg")

NVD Data

Published: Loading...Modified: Loading...

Description Summary

Microsoft Exchange Server Remote Code Execution Vulnerability

CVSS Base Score

7.8
High

CVSS Vector (CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H)

Attack Vector (AV)
Physical
Local
Adjacent
Network
Attack Complexity (AC)
High
Low
Privileges Required (PR)
High
Low
None
User Interaction (UI)
Required
None
Scope (S)
Unchanged
Changed
Confidentiality (C)
None
Low
High
Integrity (I)
None
Low
High
Availability (A)
None
Low
High
CWE:
|
NVD:CVE-2021-26858
|
Version From:
|
Version Upto:

Affected Software (CPE) (25)

  • cpe:2.3:a:microsoft:exchange_server:2010:sp3:*:*:*:*:*:*
  • cpe:2.3:a:microsoft:exchange_server:2013:cumulative_update_22:*:*:*:*:*:*
  • cpe:2.3:a:microsoft:exchange_server:2013:cumulative_update_23:*:*:*:*:*:*
  • cpe:2.3:a:microsoft:exchange_server:2013:sp1:*:*:*:*:*:*
  • cpe:2.3:a:microsoft:exchange_server:2016:cumulative_update_10:*:*:*:*:*:*
  • cpe:2.3:a:microsoft:exchange_server:2016:cumulative_update_11:*:*:*:*:*:*
  • cpe:2.3:a:microsoft:exchange_server:2016:cumulative_update_12:*:*:*:*:*:*
  • cpe:2.3:a:microsoft:exchange_server:2016:cumulative_update_13:*:*:*:*:*:*
  • cpe:2.3:a:microsoft:exchange_server:2016:cumulative_update_14:*:*:*:*:*:*
  • cpe:2.3:a:microsoft:exchange_server:2016:cumulative_update_15:*:*:*:*:*:*
  • cpe:2.3:a:microsoft:exchange_server:2016:cumulative_update_16:*:*:*:*:*:*
  • cpe:2.3:a:microsoft:exchange_server:2016:cumulative_update_17:*:*:*:*:*:*
  • cpe:2.3:a:microsoft:exchange_server:2016:cumulative_update_18:*:*:*:*:*:*
  • cpe:2.3:a:microsoft:exchange_server:2016:cumulative_update_19:*:*:*:*:*:*
  • cpe:2.3:a:microsoft:exchange_server:2016:cumulative_update_8:*:*:*:*:*:*
  • cpe:2.3:a:microsoft:exchange_server:2016:cumulative_update_9:*:*:*:*:*:*
  • cpe:2.3:a:microsoft:exchange_server:2019:-:*:*:*:*:*:*
  • cpe:2.3:a:microsoft:exchange_server:2019:cumulative_update_1:*:*:*:*:*:*
  • cpe:2.3:a:microsoft:exchange_server:2019:cumulative_update_2:*:*:*:*:*:*
  • cpe:2.3:a:microsoft:exchange_server:2019:cumulative_update_3:*:*:*:*:*:*
  • cpe:2.3:a:microsoft:exchange_server:2019:cumulative_update_4:*:*:*:*:*:*
  • cpe:2.3:a:microsoft:exchange_server:2019:cumulative_update_5:*:*:*:*:*:*
  • cpe:2.3:a:microsoft:exchange_server:2019:cumulative_update_6:*:*:*:*:*:*
  • cpe:2.3:a:microsoft:exchange_server:2019:cumulative_update_7:*:*:*:*:*:*
  • cpe:2.3:a:microsoft:exchange_server:2019:cumulative_update_8:*:*:*:*:*:*

Sources

9
SourceArticle
www.microsoft.comHAFNIUM targeting Exchange Servers with 0-day exploits
www.microsoft.comGuidance for responders: Investigating and remediating on-premises Exchange Server vulnerabilities
techcommunity.microsoft.comReleased: March 2021 Exchange Server Security Updates
nvd.nist.govCVE-2021-26858 Detail
www.cisa.govKnown Exploited Vulnerabilities Catalog
www.tenable.comCVE-2021-26858
threatprotect.qualys.comMicrosoft Exchange Server Remote Code Execution Vulnerabilities (4 zero days)
github.comfile_event_win_cve_2021_26858_msexchange.yml
gist.github.comTest-ProxyLogon-expanded.ps1

Priority History

Planned FixLoading...

Initial analysis