CVE-2021-26857
CVE-2021-26857 is a high-severity vulnerability in Microsoft Exchange Server with a CVSS 3.x base score of 7.8. It is listed in CISA's Known Exploited Vulnerabilities (KEV) catalog, confirming it has been exploited in the wild (added 2021-11-03). The underlying weakness is classified as CWE-502.
Key facts
- Severity: High (CVSS 3.x base score 7.8)
- CVSS v2: 6.8
- EPSS exploit prediction: 94% (100th percentile)
- Actively exploited: Yes — listed in CISA KEV (added 2021-11-03)
- EU (EUVD) id: EUVD-2021-13641
- EU exploitation: Flagged exploited in the ENISA EU Vulnerability Database (since 2021-11-03)
- Weakness: CWE-502
- Affected product: Microsoft Exchange Server
- Published:
- Last modified:
Description
Microsoft Exchange Server Remote Code Execution Vulnerability
CVE-2021-26857: Microsoft Exchange Server Deserialization RCE (Hafnium)
AI-generated analysis based on the vulnerability data on this page.
| Attribute | Value |
|---|---|
| CVE ID | CVE-2021-26857 |
| CWE | CWE-502 – Deserialization of Untrusted Data |
| CVSS v3.1 | 7.8 (HIGH) |
| Vector | CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H |
| EPSS | 0.94008 (99.8th percentile) |
| CISA KEV | Listed (added 2021-11-03) |
| EU Exploited | Yes (EUVD-2021-13641) |
| Published | 2021-03-03 |
Summary
CVE-2021-26857 is a remote code execution vulnerability in Microsoft Exchange Server. It stems from improper deserialization of user-supplied data by the Unified Messaging service, permitting an unauthenticated attacker to execute arbitrary code in the context of the SYSTEM account. The vulnerability was one of four zero-days chained by the Hafnium APT group during widespread attacks in early 2021.
Background
In March 2021, Microsoft disclosed a cluster of four zero-day vulnerabilities in on-premises Exchange Server (CVE-2021-26855, CVE-2021-26857, CVE-2021-26858, and CVE-2021-27065). These flaws were being actively exploited by a state-sponsored threat actor—dubbed Hafnium—to compromise email servers worldwide. CVE-2021-26857 specifically targets the Exchange Unified Messaging (UM) service, a component that handles voicemail and other messaging features. Because the vulnerability does not require authentication, it is especially dangerous when paired with SSRF (CVE-2021-26855) to gain initial access.
Root Cause
CWE-502: Deserialization of Untrusted Data
The Unified Messaging service deserializes data from user-controlled input without adequate validation. When an attacker sends a specially crafted request containing a malicious serialized object, the .NET deserialization process instantiates attacker-controlled types. This leads to arbitrary code execution because the deserialized objects can trigger dangerous side effects—such as calling sensitive methods or setting properties—during the object-construction phase. The flaw exists because Exchange trusts the integrity of serialized data passed to the UM worker process without verifying its origin or content.
Impact
The CVSS v3.1 score of 7.8 (HIGH) reflects severe local impact despite the network attack vector being somewhat constrained:
- Confidentiality Impact: HIGH — Full access to all mailboxes, sensitive corporate communications, and cached credentials.
- Integrity Impact: HIGH — Attackers can modify email, install backdoors, or tamper with server configuration.
- Availability Impact: HIGH — Complete server compromise may lead to denial of service or ransomware deployment.
The EPSS score of 0.94008 (99.8th percentile) indicates an exceptionally high probability of active exploitation in the wild. The vulnerability's inclusion in the CISA Known Exploited Vulnerabilities catalog and the EUVD confirms that threat actors have weaponized it at scale.
Exploitation Walkthrough
⚠️ Ethics Notice: This section describes the exploitation principle for defensive awareness only. No weaponized exploit code is provided. Defenders should use this knowledge to improve detection and patching priority.
- Reconnaissance — The attacker identifies an on-premises Exchange Server exposed to the internet (commonly on TCP/443).
- Initial Access — Often chained with CVE-2021-26855 (SSRF), the attacker crafts a request to the
/ecp/y.jsor/owa/auth/x.jsendpoints to establish a session. - Deserialization Trigger — The attacker sends a crafted SOAP request to the Unified Messaging service (
/EWS/Exchange.asmxor UM-specific endpoints) containing a malicious .NET serialized payload (e.g., usingTypeConfuseDelegateorObjectDataProvidergadgets). - Code Execution — The UM worker process deserializes the payload, triggering arbitrary code execution as
NT AUTHORITY\SYSTEM. - Post-Exploitation — The attacker typically deploys web shells (e.g.,
ChinaChoppervariants) in/owa/auth/or/ecp/directories to maintain persistence.
Defensive Takeaway: Because exploitation leaves artifacts in IIS logs (unusual SOAP requests, 500-series errors followed by successful 200 responses from unusual paths), monitoring for anomalous POST requests to EWS/UM endpoints is critical.
Affected and Patched Versions
Affected:
- Microsoft Exchange Server 2010 Service Pack 3
- Microsoft Exchange Server 2013 (CU22, CU23, SP1)
- Microsoft Exchange Server 2016 (CU8 through CU19)
- Microsoft Exchange Server 2019 (RTM through CU8)
Patched:
- Exchange 2013 CU23 + March 2021 security update
- Exchange 2016 CU19 + March 2021 security update
- Exchange 2019 CU8 + March 2021 security update
- Subsequent cumulative updates include the fix
Exchange 2010 reached end-of-life and did not receive a patch; organizations were advised to migrate or apply compensating controls.
Remediation
- Apply Security Updates — Install the relevant March 2021 Exchange security update or upgrade to a supported cumulative update that includes the fix.
- Upgrade Legacy Versions — Exchange 2010 is unpatched; migrate to Exchange 2016/2019 or Exchange Online.
- Compensating Controls — If patching is delayed:
- Restrict external access to Exchange Admin Center (EAC) and OWA via VPN or WAF rules.
- Enable Microsoft Defender for Office 365 and EDR telemetry.
- Apply the Exchange On-Premises Mitigation Tool (EOMT) released by Microsoft for temporary defense-in-depth.
- IIS Hardening — Remove unnecessary virtual directories and restrict access to
/ecp,/owa, and/ewsfrom untrusted networks.
Detection
- Log Indicators: Monitor IIS logs for
POSTrequests to/ecp/y.js,/owa/auth/x.js, or/ews/Exchange.asmxwith unusually large payloads or unexpectedUser-Agentstrings. - Web Shell Signatures: Hunt for suspicious
.aspxfiles in\inetpub\wwwroot\owa\auth\or\ecp\directories (e.g., files namedRedirSuiteServiceProxy.aspx,aspnet_client). - Process Anomalies: Monitor
w3wp.exe(UM worker process) spawning unusual child processes such ascmd.exe,powershell.exe, orcertutil.exe. - Microsoft Tools: Run the Microsoft Safety Scanner and the Test-ProxyLogon.ps1 script to detect historical compromise.
Assessment
CVE-2021-26857 is a textbook example of why deserialization vulnerabilities remain among the most dangerous web-application flaws. Despite requiring user interaction (UI:R) in CVSS v3.1, the real-world attack path via SSRF chaining effectively nullified this constraint. The EPSS score above 0.94 and confirmed nation-state exploitation make this a "patch immediately" priority even years after disclosure.
Key Lessons:
- Zero-trust for serialized data: Never deserialize untrusted input without strict type whitelisting and integrity checks.
- Cumulative update discipline: Running outdated CU levels left thousands of organizations exposed to a preventable compromise.
- Assume breach: Organizations that had already deployed EDR and aggressive log monitoring were able to detect and contain Hafnium activity within hours rather than weeks.
References
Frequently asked questions
- What is CVE-2021-26857?
- Microsoft Exchange Server Remote Code Execution Vulnerability
- How severe is CVE-2021-26857?
- CVE-2021-26857 has a CVSS 3.x base score of 7.8, rated high severity. It is exploitable over local access with low attack complexity, requires no privileges and user interaction. Impact on confidentiality is high, integrity high, and availability high.
- Is CVE-2021-26857 being actively exploited?
- Yes. CVE-2021-26857 is on CISA's Known Exploited Vulnerabilities (KEV) catalog, added on 2021-11-03, which means active exploitation has been confirmed. It should be prioritised for remediation.
- What products are affected by CVE-2021-26857?
- CVE-2021-26857 primarily affects Microsoft Exchange Server. In total, 25 product configurations (CPEs) are listed as vulnerable; see the affected-products list for the exact versions.
- How do I fix CVE-2021-26857?
- Review the linked vendor and NVD advisories for patched versions and mitigations, then upgrade or apply the recommended workaround. Because this CVE is known to be actively exploited, treat remediation as urgent — CISA KEV typically sets a short remediation deadline.
- Does CVE-2021-26857 have an EU (EUVD) identifier?
- Yes. CVE-2021-26857 is tracked in the ENISA EU Vulnerability Database (EUVD) as EUVD-2021-13641. It is also flagged as exploited in the EUVD (since 2021-11-03).
- When was CVE-2021-26857 published?
- CVE-2021-26857 was published on 2021-03-03 and last updated on 2026-06-17.
References
- https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-26857
- https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2021-26857
Affected products (25)
- cpe:2.3:a:microsoft:exchange_server:2010:sp3:*:*:*:*:*:*
- cpe:2.3:a:microsoft:exchange_server:2013:cumulative_update_22:*:*:*:*:*:*
- cpe:2.3:a:microsoft:exchange_server:2013:cumulative_update_23:*:*:*:*:*:*
- cpe:2.3:a:microsoft:exchange_server:2013:sp1:*:*:*:*:*:*
- cpe:2.3:a:microsoft:exchange_server:2016:cumulative_update_10:*:*:*:*:*:*
- cpe:2.3:a:microsoft:exchange_server:2016:cumulative_update_11:*:*:*:*:*:*
- cpe:2.3:a:microsoft:exchange_server:2016:cumulative_update_12:*:*:*:*:*:*
- cpe:2.3:a:microsoft:exchange_server:2016:cumulative_update_13:*:*:*:*:*:*
- cpe:2.3:a:microsoft:exchange_server:2016:cumulative_update_14:*:*:*:*:*:*
- cpe:2.3:a:microsoft:exchange_server:2016:cumulative_update_15:*:*:*:*:*:*
- cpe:2.3:a:microsoft:exchange_server:2016:cumulative_update_16:*:*:*:*:*:*
- cpe:2.3:a:microsoft:exchange_server:2016:cumulative_update_17:*:*:*:*:*:*
- cpe:2.3:a:microsoft:exchange_server:2016:cumulative_update_18:*:*:*:*:*:*
- cpe:2.3:a:microsoft:exchange_server:2016:cumulative_update_19:*:*:*:*:*:*
- cpe:2.3:a:microsoft:exchange_server:2016:cumulative_update_8:*:*:*:*:*:*
- cpe:2.3:a:microsoft:exchange_server:2016:cumulative_update_9:*:*:*:*:*:*
- cpe:2.3:a:microsoft:exchange_server:2019:-:*:*:*:*:*:*
- cpe:2.3:a:microsoft:exchange_server:2019:cumulative_update_1:*:*:*:*:*:*
- cpe:2.3:a:microsoft:exchange_server:2019:cumulative_update_2:*:*:*:*:*:*
- cpe:2.3:a:microsoft:exchange_server:2019:cumulative_update_3:*:*:*:*:*:*
- cpe:2.3:a:microsoft:exchange_server:2019:cumulative_update_4:*:*:*:*:*:*
- cpe:2.3:a:microsoft:exchange_server:2019:cumulative_update_5:*:*:*:*:*:*
- cpe:2.3:a:microsoft:exchange_server:2019:cumulative_update_6:*:*:*:*:*:*
- cpe:2.3:a:microsoft:exchange_server:2019:cumulative_update_7:*:*:*:*:*:*
- cpe:2.3:a:microsoft:exchange_server:2019:cumulative_update_8:*:*:*:*:*:*
More vulnerabilities in Microsoft Exchange Server
- CVE-2007-0213 — Critical (CVSS 10.0): Microsoft Exchange Server 2000 SP3, 2003 SP1 and SP2, and 2007 does not properly decode certain MIME encoded e-mails,…
- CVE-2004-0840 — Critical (CVSS 10.0): The SMTP (Simple Mail Transfer Protocol) component of Microsoft Windows XP 64-bit Edition, Windows Server 2003, Windows…
- CVE-2004-0574 — Critical (CVSS 10.0): The Network News Transfer Protocol (NNTP) component of Microsoft Windows NT Server 4.0, Windows 2000 Server, Windows…
- CVE-1999-0385 — Critical (CVSS 10.0): The LDAP bind function in Exchange 5.5 has a buffer overflow that allows a remote attacker to conduct a denial of…
- CVE-2024-21410 — Critical (CVSS 9.8): Microsoft Exchange Server Elevation of Privilege Vulnerability
- CVE-2023-21709 — Critical (CVSS 9.8): Microsoft Exchange Server Elevation of Privilege Vulnerability
All CVEs affecting Microsoft Exchange Server →
Other CWE-502 (Deserialization of Untrusted Data) vulnerabilities
- CVE-2026-41104 — Critical (CVSS 10.0): Deserialization of untrusted data in Microsoft Planetary Computer Pro allows an unauthorized attacker to disclose…
- CVE-2026-43633 — Critical (CVSS 10.0): HestiaCP versions 1.9.0 through 1.9.4 contain a deserialization vulnerability in the web terminal component caused by a…
- CVE-2026-33819 — Critical (CVSS 10.0): Deserialization of untrusted data in Microsoft Bing allows an unauthorized attacker to execute code over a network.
- CVE-2026-20131 — Critical (CVSS 10.0): A vulnerability in the web-based management interface of Cisco Secure Firewall Management Center (FMC) Software could…
- CVE-2026-25632 — Critical (CVSS 10.0): EPyT-Flow is a Python package designed for the easy generation of hydraulic and water quality scenario data of water…
- CVE-2025-14931 — Critical (CVSS 10.0): Hugging Face smolagents Remote Python Executor Deserialization of Untrusted Data Remote Code Execution Vulnerability.…
Browse all CWE-502 (Deserialization of Untrusted Data) vulnerabilities →