CVE-2021-26857

CVE-2021-26857 is a high-severity vulnerability in Microsoft Exchange Server with a CVSS 3.x base score of 7.8. It is listed in CISA's Known Exploited Vulnerabilities (KEV) catalog, confirming it has been exploited in the wild (added 2021-11-03). The underlying weakness is classified as CWE-502.

Key facts

Description

Microsoft Exchange Server Remote Code Execution Vulnerability

CVE-2021-26857: Microsoft Exchange Server Deserialization RCE (Hafnium)

AI-generated analysis based on the vulnerability data on this page.

Attribute Value
CVE ID CVE-2021-26857
CWE CWE-502 – Deserialization of Untrusted Data
CVSS v3.1 7.8 (HIGH)
Vector CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
EPSS 0.94008 (99.8th percentile)
CISA KEV Listed (added 2021-11-03)
EU Exploited Yes (EUVD-2021-13641)
Published 2021-03-03

Summary

CVE-2021-26857 is a remote code execution vulnerability in Microsoft Exchange Server. It stems from improper deserialization of user-supplied data by the Unified Messaging service, permitting an unauthenticated attacker to execute arbitrary code in the context of the SYSTEM account. The vulnerability was one of four zero-days chained by the Hafnium APT group during widespread attacks in early 2021.

Background

In March 2021, Microsoft disclosed a cluster of four zero-day vulnerabilities in on-premises Exchange Server (CVE-2021-26855, CVE-2021-26857, CVE-2021-26858, and CVE-2021-27065). These flaws were being actively exploited by a state-sponsored threat actor—dubbed Hafnium—to compromise email servers worldwide. CVE-2021-26857 specifically targets the Exchange Unified Messaging (UM) service, a component that handles voicemail and other messaging features. Because the vulnerability does not require authentication, it is especially dangerous when paired with SSRF (CVE-2021-26855) to gain initial access.

Root Cause

CWE-502: Deserialization of Untrusted Data

The Unified Messaging service deserializes data from user-controlled input without adequate validation. When an attacker sends a specially crafted request containing a malicious serialized object, the .NET deserialization process instantiates attacker-controlled types. This leads to arbitrary code execution because the deserialized objects can trigger dangerous side effects—such as calling sensitive methods or setting properties—during the object-construction phase. The flaw exists because Exchange trusts the integrity of serialized data passed to the UM worker process without verifying its origin or content.

Impact

The CVSS v3.1 score of 7.8 (HIGH) reflects severe local impact despite the network attack vector being somewhat constrained:

  • Confidentiality Impact: HIGH — Full access to all mailboxes, sensitive corporate communications, and cached credentials.
  • Integrity Impact: HIGH — Attackers can modify email, install backdoors, or tamper with server configuration.
  • Availability Impact: HIGH — Complete server compromise may lead to denial of service or ransomware deployment.

The EPSS score of 0.94008 (99.8th percentile) indicates an exceptionally high probability of active exploitation in the wild. The vulnerability's inclusion in the CISA Known Exploited Vulnerabilities catalog and the EUVD confirms that threat actors have weaponized it at scale.

Exploitation Walkthrough

⚠️ Ethics Notice: This section describes the exploitation principle for defensive awareness only. No weaponized exploit code is provided. Defenders should use this knowledge to improve detection and patching priority.

  1. Reconnaissance — The attacker identifies an on-premises Exchange Server exposed to the internet (commonly on TCP/443).
  2. Initial Access — Often chained with CVE-2021-26855 (SSRF), the attacker crafts a request to the /ecp/y.js or /owa/auth/x.js endpoints to establish a session.
  3. Deserialization Trigger — The attacker sends a crafted SOAP request to the Unified Messaging service (/EWS/Exchange.asmx or UM-specific endpoints) containing a malicious .NET serialized payload (e.g., using TypeConfuseDelegate or ObjectDataProvider gadgets).
  4. Code Execution — The UM worker process deserializes the payload, triggering arbitrary code execution as NT AUTHORITY\SYSTEM.
  5. Post-Exploitation — The attacker typically deploys web shells (e.g., ChinaChopper variants) in /owa/auth/ or /ecp/ directories to maintain persistence.

Defensive Takeaway: Because exploitation leaves artifacts in IIS logs (unusual SOAP requests, 500-series errors followed by successful 200 responses from unusual paths), monitoring for anomalous POST requests to EWS/UM endpoints is critical.

Affected and Patched Versions

Affected:

  • Microsoft Exchange Server 2010 Service Pack 3
  • Microsoft Exchange Server 2013 (CU22, CU23, SP1)
  • Microsoft Exchange Server 2016 (CU8 through CU19)
  • Microsoft Exchange Server 2019 (RTM through CU8)

Patched:

  • Exchange 2013 CU23 + March 2021 security update
  • Exchange 2016 CU19 + March 2021 security update
  • Exchange 2019 CU8 + March 2021 security update
  • Subsequent cumulative updates include the fix

Exchange 2010 reached end-of-life and did not receive a patch; organizations were advised to migrate or apply compensating controls.

Remediation

  1. Apply Security Updates — Install the relevant March 2021 Exchange security update or upgrade to a supported cumulative update that includes the fix.
  2. Upgrade Legacy Versions — Exchange 2010 is unpatched; migrate to Exchange 2016/2019 or Exchange Online.
  3. Compensating Controls — If patching is delayed:
    • Restrict external access to Exchange Admin Center (EAC) and OWA via VPN or WAF rules.
    • Enable Microsoft Defender for Office 365 and EDR telemetry.
    • Apply the Exchange On-Premises Mitigation Tool (EOMT) released by Microsoft for temporary defense-in-depth.
  4. IIS Hardening — Remove unnecessary virtual directories and restrict access to /ecp, /owa, and /ews from untrusted networks.

Detection

  • Log Indicators: Monitor IIS logs for POST requests to /ecp/y.js, /owa/auth/x.js, or /ews/Exchange.asmx with unusually large payloads or unexpected User-Agent strings.
  • Web Shell Signatures: Hunt for suspicious .aspx files in \inetpub\wwwroot\owa\auth\ or \ecp\ directories (e.g., files named RedirSuiteServiceProxy.aspx, aspnet_client).
  • Process Anomalies: Monitor w3wp.exe (UM worker process) spawning unusual child processes such as cmd.exe, powershell.exe, or certutil.exe.
  • Microsoft Tools: Run the Microsoft Safety Scanner and the Test-ProxyLogon.ps1 script to detect historical compromise.

Assessment

CVE-2021-26857 is a textbook example of why deserialization vulnerabilities remain among the most dangerous web-application flaws. Despite requiring user interaction (UI:R) in CVSS v3.1, the real-world attack path via SSRF chaining effectively nullified this constraint. The EPSS score above 0.94 and confirmed nation-state exploitation make this a "patch immediately" priority even years after disclosure.

Key Lessons:

  1. Zero-trust for serialized data: Never deserialize untrusted input without strict type whitelisting and integrity checks.
  2. Cumulative update discipline: Running outdated CU levels left thousands of organizations exposed to a preventable compromise.
  3. Assume breach: Organizations that had already deployed EDR and aggressive log monitoring were able to detect and contain Hafnium activity within hours rather than weeks.

References

Frequently asked questions

What is CVE-2021-26857?
Microsoft Exchange Server Remote Code Execution Vulnerability
How severe is CVE-2021-26857?
CVE-2021-26857 has a CVSS 3.x base score of 7.8, rated high severity. It is exploitable over local access with low attack complexity, requires no privileges and user interaction. Impact on confidentiality is high, integrity high, and availability high.
Is CVE-2021-26857 being actively exploited?
Yes. CVE-2021-26857 is on CISA's Known Exploited Vulnerabilities (KEV) catalog, added on 2021-11-03, which means active exploitation has been confirmed. It should be prioritised for remediation.
What products are affected by CVE-2021-26857?
CVE-2021-26857 primarily affects Microsoft Exchange Server. In total, 25 product configurations (CPEs) are listed as vulnerable; see the affected-products list for the exact versions.
How do I fix CVE-2021-26857?
Review the linked vendor and NVD advisories for patched versions and mitigations, then upgrade or apply the recommended workaround. Because this CVE is known to be actively exploited, treat remediation as urgent — CISA KEV typically sets a short remediation deadline.
Does CVE-2021-26857 have an EU (EUVD) identifier?
Yes. CVE-2021-26857 is tracked in the ENISA EU Vulnerability Database (EUVD) as EUVD-2021-13641. It is also flagged as exploited in the EUVD (since 2021-11-03).
When was CVE-2021-26857 published?
CVE-2021-26857 was published on 2021-03-03 and last updated on 2026-06-17.

References

Affected products (25)

More vulnerabilities in Microsoft Exchange Server

All CVEs affecting Microsoft Exchange Server →

Other CWE-502 (Deserialization of Untrusted Data) vulnerabilities

Browse all CWE-502 (Deserialization of Untrusted Data) vulnerabilities →