CVE-2021-26855

CVE-2021-26855 is a critical-severity vulnerability in Microsoft Exchange Server with a CVSS 3.x base score of 9.1. It is listed in CISA's Known Exploited Vulnerabilities (KEV) catalog, confirming it has been exploited in the wild (added 2021-11-03). The underlying weakness is classified as CWE-918.

Key facts

Description

Microsoft Exchange Server Remote Code Execution Vulnerability

CVE-2021-26855: Microsoft Exchange Server SSRF (ProxyLogon) – Critical Remote Code Execution

AI-generated analysis based on the vulnerability data on this page.

Attribute Value
CVE CVE-2021-26855
Vendor Microsoft
Product Exchange Server 2013, 2016, 2019
CWE CWE-918 Server-Side Request Forgery (SSRF)
CVSS v2 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)
CVSS v3 9.1 CRITICAL (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N)
EPSS 0.99999 (percentile 0.99991)
CISA KEV Listed (added 2021-11-03)
EU Exploited Yes (since 2021-11-03)
Published 2021-03-03
Last Modified 2026-06-17

Summary

CVE-2021-26855 is a server-side request forgery (SSRF) vulnerability in Microsoft Exchange Server. It allows an unauthenticated remote attacker to send arbitrary HTTP requests and authenticate as the Exchange Server itself, bypassing all authentication controls. When chained with CVE-2021-27065 (arbitrary file write), it enables unauthenticated remote code execution. This vulnerability is part of the widely exploited "ProxyLogon" attack chain and has been under active, widespread exploitation since March 2021.

Background

Microsoft Exchange Server is a widely deployed email, calendaring, and collaboration platform used by organizations globally. In early 2021, security researchers and threat intelligence teams observed multiple zero-day vulnerabilities being exploited by advanced persistent threat (APT) groups to compromise Exchange servers, exfiltrate data, and deploy web shells for persistent access. CVE-2021-26855 was the SSRF entry point that allowed attackers to interact with internal Exchange components—specifically the Unified Messaging service and the backend Exchange Control Panel (ECP)—without valid credentials.

Root Cause

The vulnerability stems from CWE-918: Server-Side Request Forgery (SSRF). Exchange Server's frontend (Client Access services) did not adequately validate or sanitize the Cookie header, specifically the X-AnonResource-Backend and X-BEResource cookies. By crafting a specially malformed cookie, an attacker could cause the frontend to proxy requests to arbitrary backend endpoints (including the ECP) while impersonating the Exchange Server identity. This effectively turned the frontend into an open proxy for the internal backend, bypassing authentication because internal requests from the frontend were implicitly trusted.

Impact

The CVSS v3.1 score of 9.1 (Critical) reflects the severe impact:

  • Attack Vector (AV): Network – exploitable remotely over the internet.
  • Attack Complexity (AC): Low – no special conditions required.
  • Privileges Required (PR): None – fully unauthenticated.
  • User Interaction (UI): None – no victim action needed.
  • Scope (S): Unchanged.
  • Confidentiality (C): High – unauthorized access to mailboxes and sensitive data.
  • Integrity (I): High – ability to modify server configuration and write files.
  • Availability (A): None – the base metric does not score availability impact, though RCE can lead to service disruption.

Real-world impact included mass exploitation by multiple threat actors, deployment of web shells, ransomware deployment (notably by Hafnium and related groups), and long-term persistent access to victim networks.

Exploitation Walkthrough

Ethics & Legal Notice: The following description is provided for defensive and awareness purposes only. Exploiting vulnerabilities without authorization is illegal and unethical. The details below are generalized and omit weaponized exploit code.

  1. Initial SSRF Trigger: The attacker sends an HTTP request to the public-facing Exchange frontend (e.g., /owa/ or /ecp/) with a malicious cookie. The cookie contains a crafted X-BEResource value pointing to an internal backend endpoint, such as /ecp/y.js.
  2. Authentication Bypass: The frontend proxies this request to the backend. Because the request appears to originate internally, the backend does not enforce normal authentication, allowing the attacker to access the ECP as the SYSTEM or Exchange Server identity.
  3. Token Acquisition: With access to the ECP, the attacker can obtain a valid ASP.NET_SessionId and msExchEcpCanary tokens, which are normally only available to authenticated administrators.
  4. Chaining for RCE: With valid session tokens, the attacker can leverage CVE-2021-27065 (or related post-authentication vulnerabilities) to write an arbitrary file (e.g., an ASPX web shell) to a web-accessible directory on the server.
  5. Persistent Access: The web shell provides a persistent backdoor for further lateral movement, data exfiltration, or ransomware deployment.

Defenders should note that exploitation leaves artifacts in IIS logs, ECP logs, and the Exchange HTTP proxy logs.

Affected and Patched Versions

The following Microsoft Exchange Server versions were confirmed vulnerable based on CPE data:

Version Affected Cumulative Updates
Exchange Server 2013 CU21, CU22, CU23
Exchange Server 2016 CU8, CU9, CU10, CU11, CU12, CU13, CU14, CU15, CU16, CU17, CU18, CU19
Exchange Server 2019 RTM, CU1, CU2, CU3, CU4, CU5, CU6, CU7, CU8

Note: Specific patch levels beyond those listed above were released by Microsoft in the March 2021 security updates. Organizations should consult the Microsoft Security Response Center advisory for exact patched build numbers.

Remediation

  1. Apply Microsoft Security Updates: Install the relevant cumulative update or security patch released by Microsoft in March 2021 (and subsequent updates). Microsoft also released out-of-band patches for unsupported versions (Exchange 2010) due to the severity and active exploitation.
  2. Upgrade Path: If running an end-of-life version (e.g., Exchange 2013), prioritize migration to a supported version with the latest cumulative update.
  3. Compensating Controls (if patching is delayed):
    • Restrict external access to Exchange web services (OWA, ECP, EWS, ActiveSync, OAB) to trusted IP ranges or VPN-only access.
    • Deploy a Web Application Firewall (WAF) rule to block requests containing suspicious X-BEResource or X-AnonResource cookie patterns.
    • Enable Extended Protection for Authentication on Exchange virtual directories where supported.
    • Implement network segmentation to limit lateral movement if a server is compromised.

Detection

  • IIS Logs: Look for unusual requests to /owa/ or /ecp/ with long or encoded cookie values, especially containing X-BEResource or X-AnonResource.
  • Exchange HTTP Proxy Logs: Check for SSRF-like proxying patterns where the frontend unexpectedly routes requests to backend ECP endpoints from external source IPs.
  • ECP Activity: Monitor for ECP access from anonymous or unexpected accounts, or sessions lacking normal pre-authentication flows.
  • File System: Hunt for newly created .aspx files in Exchange web directories (e.g., \FrontEnd\HttpProxy\owa\auth\, \ecp\) that do not match known good baselines.
  • Microsoft Detection Tools: Microsoft released the Exchange On-Premises Mitigation Tool and a Test-ProxyLogon.ps1 script to detect indicators of compromise.

Assessment

CVE-2021-26855 represents one of the most consequential enterprise vulnerabilities of the 2020s. With an EPSS score of 0.99999 and CISA KEV listing, it sits in the highest tier of observed exploitation probability. The combination of unauthenticated network access, low attack complexity, and high confidentiality/integrity impact made it a near-perfect target for mass exploitation. The "ProxyLogon" incident demonstrated how quickly nation-state and cybercriminal actors can weaponize zero-days when the target surface is both internet-facing and ubiquitous.

Key Lessons:

  1. Zero-Trust for Internals: Internal service-to-service trust boundaries are a recurring source of critical vulnerabilities. Frontend proxies must rigorously validate all incoming requests, even those that appear to target internal backends.
  2. Rapid Patching Velocity: Organizations with slower patch cycles were disproportionately impacted. The window between disclosure and mass exploitation was measured in days, reinforcing the need for emergency patch procedures for critical, internet-facing infrastructure.

References

Frequently asked questions

What is CVE-2021-26855?
Microsoft Exchange Server Remote Code Execution Vulnerability
How severe is CVE-2021-26855?
CVE-2021-26855 has a CVSS 3.x base score of 9.1, rated critical severity. It is exploitable over network with low attack complexity, requires no privileges and no user interaction. Impact on confidentiality is high, integrity high, and availability none.
Is CVE-2021-26855 being actively exploited?
Yes. CVE-2021-26855 is on CISA's Known Exploited Vulnerabilities (KEV) catalog, added on 2021-11-03, which means active exploitation has been confirmed. It should be prioritised for remediation.
What products are affected by CVE-2021-26855?
CVE-2021-26855 primarily affects Microsoft Exchange Server. In total, 24 product configurations (CPEs) are listed as vulnerable; see the affected-products list for the exact versions.
How do I fix CVE-2021-26855?
Review the linked vendor and NVD advisories for patched versions and mitigations, then upgrade or apply the recommended workaround. Because this CVE is known to be actively exploited, treat remediation as urgent — CISA KEV typically sets a short remediation deadline.
Does CVE-2021-26855 have an EU (EUVD) identifier?
Yes. CVE-2021-26855 is tracked in the ENISA EU Vulnerability Database (EUVD) as EUVD-2021-13639. It is also flagged as exploited in the EUVD (since 2021-11-03).
When was CVE-2021-26855 published?
CVE-2021-26855 was published on 2021-03-03 and last updated on 2026-06-17.

References

Affected products (24)

More vulnerabilities in Microsoft Exchange Server

All CVEs affecting Microsoft Exchange Server →

Other CWE-918 (Server-Side Request Forgery (SSRF)) vulnerabilities

Browse all CWE-918 (Server-Side Request Forgery (SSRF)) vulnerabilities →