CVE-2021-26858

CVE-2021-26858 is a high-severity vulnerability in Microsoft Exchange Server with a CVSS 3.x base score of 7.8. It is listed in CISA's Known Exploited Vulnerabilities (KEV) catalog, confirming it has been exploited in the wild (added 2021-11-03).

Key facts

Description

Microsoft Exchange Server Remote Code Execution Vulnerability

CVE-2021-26858: Microsoft Exchange Server Remote Code Execution

AI-generated analysis based on the vulnerability data on this page.

Attribute Value
CVE ID CVE-2021-26858
Published 2021-03-03
Severity (CVSS v3) 7.8 HIGH
CVSS v3 Vector CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
EPSS 0.89509 (99.77th percentile)
Known Exploited Yes — added to CISA KEV on 2021-11-03
CWE Not specified in source data

Summary

CVE-2021-26858 is a remote code execution (RCE) vulnerability affecting multiple versions of Microsoft Exchange Server. The vulnerability was disclosed by Microsoft on March 2, 2021, as part of a coordinated security update addressing actively exploited zero-day flaws in Exchange. It carries a CVSS v3 score of 7.8 (HIGH) and has been observed in active exploitation in the wild.

Background

Microsoft Exchange Server is a widely deployed email, calendaring, and collaboration platform used by organizations worldwide. In early 2021, security researchers and Microsoft identified multiple zero-day vulnerabilities being exploited by threat actors to compromise Exchange servers. CVE-2021-26858 was among the vulnerabilities addressed in the out-of-band security updates released in March 2021. The scope of exploitation was extensive, affecting tens of thousands of on-premises Exchange servers globally.

Root Cause

The specific CWE identifier is not provided in the source data. Based on Microsoft's advisory classification, the vulnerability is a remote code execution flaw in Microsoft Exchange Server. The root cause relates to improper input validation or insecure processing of untrusted data within Exchange components, allowing an attacker to execute arbitrary code in the context of the SYSTEM account. Without a published CWE from the source data, the precise weakness category cannot be definitively stated.

Impact

The CVSS v3 vector CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H indicates:

  • Attack Vector (AV): Local — exploitation requires local access or an initial foothold
  • Attack Complexity (AC): Low — trivial conditions required for exploitation
  • Privileges Required (PR): None — no privileges needed
  • User Interaction (UI): Required — victim interaction is needed
  • Scope (S): Unchanged — exploit cannot affect resources beyond the vulnerable component
  • Confidentiality (C): High — total information disclosure
  • Integrity (I): High — complete compromise of system integrity
  • Availability (A): High — total shutdown of the affected resource

The CVSS v2 score of 6.8 with vector AV:N/AC:M/Au:N/C:P/I:P/A:P reflects network-accessible attack surface with medium complexity, no authentication required, and partial impacts across the CIA triad.

Exploitation Walkthrough

Ethics caveat: This section describes exploitation concepts from a defensive perspective only. No weaponized code or step-by-step attack instructions are provided. Organizations should use this information to improve detection and hardening.

CVE-2021-26858 has been actively exploited in the wild since at least early 2021. Threat actors leveraging this vulnerability typically chain it with other Exchange flaws (such as CVE-2021-26855, CVE-2021-26857, and CVE-2021-27065) to achieve initial access, escalate privileges, and deploy web shells or other persistent backdoors on compromised Exchange servers.

The general exploitation flow observed in incidents involves:

  1. Initial Access: The attacker sends a crafted request to the vulnerable Exchange server.
  2. Code Execution: The vulnerability is triggered, allowing arbitrary code execution within the Exchange process context.
  3. Persistence: Attackers commonly drop ASPX web shells in Exchange-accessible directories for persistent remote access.
  4. Lateral Movement: From the compromised Exchange server, attackers pivot to other systems within the network.

Defenders should focus on identifying indicators of compromise (IoCs) such as unexpected ASPX files in Exchange directories, suspicious PowerShell activity, and anomalous IIS logs rather than attempting to reproduce the exploit.

Affected and Patched Versions

The following Microsoft Exchange Server versions are affected according to the CPE data:

  • Exchange Server 2010 — Service Pack 3
  • Exchange Server 2013 — Cumulative Update 22, Cumulative Update 23, Service Pack 1
  • Exchange Server 2016 — Cumulative Update 8 through Cumulative Update 19
  • Exchange Server 2019 — RTM through Cumulative Update 8

Microsoft released security updates for all affected versions in March 2021. Organizations must apply the relevant cumulative updates or security patches to remediate this vulnerability.

Remediation

  1. Apply Patches: Install the applicable Microsoft security updates released in March 2021 (and subsequent cumulative updates). For Exchange 2010 SP3, apply the latest Rollup Update. For Exchange 2013, 2016, and 2019, apply the relevant Cumulative Update.
  2. Upgrade: If running end-of-life versions such as Exchange 2010, plan migration to a supported version (Exchange 2016 or 2019, or Exchange Online).
  3. Compensating Controls:
    • Restrict external access to Exchange Admin Center (EAC) and Outlook Web App (OWA) via VPN or IP allow-listing where possible.
    • Enable Extended Protection for Authentication on Exchange virtual directories.
    • Deploy a Web Application Firewall (WAF) with rules tuned for Exchange exploitation patterns.
    • Ensure Exchange servers are segmented from the broader network to limit lateral movement.

Detection

  • Web Shell Detection: Hunt for anomalous .aspx, .ashx, or .asmx files in Exchange IIS directories (C:\inetpub\wwwroot, C:\Exchange\FrontEnd\HttpProxy, etc.).
  • IIS Log Analysis: Review IIS logs for suspicious POST requests to Exchange endpoints such as /ecp/, /owa/, /autodiscover/, or /mapi/ with unusual patterns or unexpected source IPs.
  • Windows Event Logs: Monitor Windows Event IDs 4688 (process creation) for suspicious child processes spawned by w3wp.exe or Exchange worker processes.
  • Microsoft Detection Tools: Microsoft released the Exchange On-Premises Mitigation Tool and scripts to scan for known IoCs and patch unpatched systems. Run these tools even on patched servers to check for historical compromise.
  • EPSS Priority: With an EPSS of 0.89509 and a 99.77th percentile ranking, this vulnerability should be treated as a critical patching and detection priority.

Assessment

CVE-2021-26858 represents a severe and actively exploited vulnerability in one of the most critical enterprise infrastructure components. Its inclusion in CISA's Known Exploited Vulnerabilities catalog and its extremely high EPSS score (0.89509) underscore the real-world threat. Key lessons:

  1. Patch Velocity Matters: The widespread exploitation of this flaw demonstrates that threat actors rapidly weaponize critical vulnerabilities in internet-facing enterprise software. Organizations with slow patch cycles faced significant compromise risk.
  2. Assume Compromise: Given the KEV status and active exploitation since March 2021, any unpatched Exchange server exposed during the vulnerable window should be assumed compromised until forensic analysis proves otherwise. Patching alone is insufficient; incident response and IoC sweeps are essential.

References

Frequently asked questions

What is CVE-2021-26858?
Microsoft Exchange Server Remote Code Execution Vulnerability
How severe is CVE-2021-26858?
CVE-2021-26858 has a CVSS 3.x base score of 7.8, rated high severity. It is exploitable over local access with low attack complexity, requires no privileges and user interaction. Impact on confidentiality is high, integrity high, and availability high.
Is CVE-2021-26858 being actively exploited?
Yes. CVE-2021-26858 is on CISA's Known Exploited Vulnerabilities (KEV) catalog, added on 2021-11-03, which means active exploitation has been confirmed. It should be prioritised for remediation.
What products are affected by CVE-2021-26858?
CVE-2021-26858 primarily affects Microsoft Exchange Server. In total, 25 product configurations (CPEs) are listed as vulnerable; see the affected-products list for the exact versions.
How do I fix CVE-2021-26858?
Review the linked vendor and NVD advisories for patched versions and mitigations, then upgrade or apply the recommended workaround. Because this CVE is known to be actively exploited, treat remediation as urgent — CISA KEV typically sets a short remediation deadline.
Does CVE-2021-26858 have an EU (EUVD) identifier?
Yes. CVE-2021-26858 is tracked in the ENISA EU Vulnerability Database (EUVD) as EUVD-2021-13642. It is also flagged as exploited in the EUVD (since 2021-11-03).
When was CVE-2021-26858 published?
CVE-2021-26858 was published on 2021-03-03 and last updated on 2026-06-17.

References

Affected products (25)

More vulnerabilities in Microsoft Exchange Server

All CVEs affecting Microsoft Exchange Server →