CVE-2021-26858
CVE-2021-26858 is a high-severity vulnerability in Microsoft Exchange Server with a CVSS 3.x base score of 7.8. It is listed in CISA's Known Exploited Vulnerabilities (KEV) catalog, confirming it has been exploited in the wild (added 2021-11-03).
Key facts
- Severity: High (CVSS 3.x base score 7.8)
- CVSS v2: 6.8
- EPSS exploit prediction: 90% (100th percentile)
- Actively exploited: Yes — listed in CISA KEV (added 2021-11-03)
- EU (EUVD) id: EUVD-2021-13642
- EU exploitation: Flagged exploited in the ENISA EU Vulnerability Database (since 2021-11-03)
- Affected product: Microsoft Exchange Server
- Published:
- Last modified:
Description
Microsoft Exchange Server Remote Code Execution Vulnerability
CVE-2021-26858: Microsoft Exchange Server Remote Code Execution
AI-generated analysis based on the vulnerability data on this page.
| Attribute | Value |
|---|---|
| CVE ID | CVE-2021-26858 |
| Published | 2021-03-03 |
| Severity (CVSS v3) | 7.8 HIGH |
| CVSS v3 Vector | CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H |
| EPSS | 0.89509 (99.77th percentile) |
| Known Exploited | Yes — added to CISA KEV on 2021-11-03 |
| CWE | Not specified in source data |
Summary
CVE-2021-26858 is a remote code execution (RCE) vulnerability affecting multiple versions of Microsoft Exchange Server. The vulnerability was disclosed by Microsoft on March 2, 2021, as part of a coordinated security update addressing actively exploited zero-day flaws in Exchange. It carries a CVSS v3 score of 7.8 (HIGH) and has been observed in active exploitation in the wild.
Background
Microsoft Exchange Server is a widely deployed email, calendaring, and collaboration platform used by organizations worldwide. In early 2021, security researchers and Microsoft identified multiple zero-day vulnerabilities being exploited by threat actors to compromise Exchange servers. CVE-2021-26858 was among the vulnerabilities addressed in the out-of-band security updates released in March 2021. The scope of exploitation was extensive, affecting tens of thousands of on-premises Exchange servers globally.
Root Cause
The specific CWE identifier is not provided in the source data. Based on Microsoft's advisory classification, the vulnerability is a remote code execution flaw in Microsoft Exchange Server. The root cause relates to improper input validation or insecure processing of untrusted data within Exchange components, allowing an attacker to execute arbitrary code in the context of the SYSTEM account. Without a published CWE from the source data, the precise weakness category cannot be definitively stated.
Impact
The CVSS v3 vector CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H indicates:
- Attack Vector (AV): Local — exploitation requires local access or an initial foothold
- Attack Complexity (AC): Low — trivial conditions required for exploitation
- Privileges Required (PR): None — no privileges needed
- User Interaction (UI): Required — victim interaction is needed
- Scope (S): Unchanged — exploit cannot affect resources beyond the vulnerable component
- Confidentiality (C): High — total information disclosure
- Integrity (I): High — complete compromise of system integrity
- Availability (A): High — total shutdown of the affected resource
The CVSS v2 score of 6.8 with vector AV:N/AC:M/Au:N/C:P/I:P/A:P reflects network-accessible attack surface with medium complexity, no authentication required, and partial impacts across the CIA triad.
Exploitation Walkthrough
Ethics caveat: This section describes exploitation concepts from a defensive perspective only. No weaponized code or step-by-step attack instructions are provided. Organizations should use this information to improve detection and hardening.
CVE-2021-26858 has been actively exploited in the wild since at least early 2021. Threat actors leveraging this vulnerability typically chain it with other Exchange flaws (such as CVE-2021-26855, CVE-2021-26857, and CVE-2021-27065) to achieve initial access, escalate privileges, and deploy web shells or other persistent backdoors on compromised Exchange servers.
The general exploitation flow observed in incidents involves:
- Initial Access: The attacker sends a crafted request to the vulnerable Exchange server.
- Code Execution: The vulnerability is triggered, allowing arbitrary code execution within the Exchange process context.
- Persistence: Attackers commonly drop ASPX web shells in Exchange-accessible directories for persistent remote access.
- Lateral Movement: From the compromised Exchange server, attackers pivot to other systems within the network.
Defenders should focus on identifying indicators of compromise (IoCs) such as unexpected ASPX files in Exchange directories, suspicious PowerShell activity, and anomalous IIS logs rather than attempting to reproduce the exploit.
Affected and Patched Versions
The following Microsoft Exchange Server versions are affected according to the CPE data:
- Exchange Server 2010 — Service Pack 3
- Exchange Server 2013 — Cumulative Update 22, Cumulative Update 23, Service Pack 1
- Exchange Server 2016 — Cumulative Update 8 through Cumulative Update 19
- Exchange Server 2019 — RTM through Cumulative Update 8
Microsoft released security updates for all affected versions in March 2021. Organizations must apply the relevant cumulative updates or security patches to remediate this vulnerability.
Remediation
- Apply Patches: Install the applicable Microsoft security updates released in March 2021 (and subsequent cumulative updates). For Exchange 2010 SP3, apply the latest Rollup Update. For Exchange 2013, 2016, and 2019, apply the relevant Cumulative Update.
- Upgrade: If running end-of-life versions such as Exchange 2010, plan migration to a supported version (Exchange 2016 or 2019, or Exchange Online).
- Compensating Controls:
- Restrict external access to Exchange Admin Center (EAC) and Outlook Web App (OWA) via VPN or IP allow-listing where possible.
- Enable Extended Protection for Authentication on Exchange virtual directories.
- Deploy a Web Application Firewall (WAF) with rules tuned for Exchange exploitation patterns.
- Ensure Exchange servers are segmented from the broader network to limit lateral movement.
Detection
- Web Shell Detection: Hunt for anomalous
.aspx,.ashx, or.asmxfiles in Exchange IIS directories (C:\inetpub\wwwroot,C:\Exchange\FrontEnd\HttpProxy, etc.). - IIS Log Analysis: Review IIS logs for suspicious POST requests to Exchange endpoints such as
/ecp/,/owa/,/autodiscover/, or/mapi/with unusual patterns or unexpected source IPs. - Windows Event Logs: Monitor Windows Event IDs 4688 (process creation) for suspicious child processes spawned by
w3wp.exeor Exchange worker processes. - Microsoft Detection Tools: Microsoft released the Exchange On-Premises Mitigation Tool and scripts to scan for known IoCs and patch unpatched systems. Run these tools even on patched servers to check for historical compromise.
- EPSS Priority: With an EPSS of 0.89509 and a 99.77th percentile ranking, this vulnerability should be treated as a critical patching and detection priority.
Assessment
CVE-2021-26858 represents a severe and actively exploited vulnerability in one of the most critical enterprise infrastructure components. Its inclusion in CISA's Known Exploited Vulnerabilities catalog and its extremely high EPSS score (0.89509) underscore the real-world threat. Key lessons:
- Patch Velocity Matters: The widespread exploitation of this flaw demonstrates that threat actors rapidly weaponize critical vulnerabilities in internet-facing enterprise software. Organizations with slow patch cycles faced significant compromise risk.
- Assume Compromise: Given the KEV status and active exploitation since March 2021, any unpatched Exchange server exposed during the vulnerable window should be assumed compromised until forensic analysis proves otherwise. Patching alone is insufficient; incident response and IoC sweeps are essential.
References
Frequently asked questions
- What is CVE-2021-26858?
- Microsoft Exchange Server Remote Code Execution Vulnerability
- How severe is CVE-2021-26858?
- CVE-2021-26858 has a CVSS 3.x base score of 7.8, rated high severity. It is exploitable over local access with low attack complexity, requires no privileges and user interaction. Impact on confidentiality is high, integrity high, and availability high.
- Is CVE-2021-26858 being actively exploited?
- Yes. CVE-2021-26858 is on CISA's Known Exploited Vulnerabilities (KEV) catalog, added on 2021-11-03, which means active exploitation has been confirmed. It should be prioritised for remediation.
- What products are affected by CVE-2021-26858?
- CVE-2021-26858 primarily affects Microsoft Exchange Server. In total, 25 product configurations (CPEs) are listed as vulnerable; see the affected-products list for the exact versions.
- How do I fix CVE-2021-26858?
- Review the linked vendor and NVD advisories for patched versions and mitigations, then upgrade or apply the recommended workaround. Because this CVE is known to be actively exploited, treat remediation as urgent — CISA KEV typically sets a short remediation deadline.
- Does CVE-2021-26858 have an EU (EUVD) identifier?
- Yes. CVE-2021-26858 is tracked in the ENISA EU Vulnerability Database (EUVD) as EUVD-2021-13642. It is also flagged as exploited in the EUVD (since 2021-11-03).
- When was CVE-2021-26858 published?
- CVE-2021-26858 was published on 2021-03-03 and last updated on 2026-06-17.
References
- https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-26858
- https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2021-26858
Affected products (25)
- cpe:2.3:a:microsoft:exchange_server:2010:sp3:*:*:*:*:*:*
- cpe:2.3:a:microsoft:exchange_server:2013:cumulative_update_22:*:*:*:*:*:*
- cpe:2.3:a:microsoft:exchange_server:2013:cumulative_update_23:*:*:*:*:*:*
- cpe:2.3:a:microsoft:exchange_server:2013:sp1:*:*:*:*:*:*
- cpe:2.3:a:microsoft:exchange_server:2016:cumulative_update_10:*:*:*:*:*:*
- cpe:2.3:a:microsoft:exchange_server:2016:cumulative_update_11:*:*:*:*:*:*
- cpe:2.3:a:microsoft:exchange_server:2016:cumulative_update_12:*:*:*:*:*:*
- cpe:2.3:a:microsoft:exchange_server:2016:cumulative_update_13:*:*:*:*:*:*
- cpe:2.3:a:microsoft:exchange_server:2016:cumulative_update_14:*:*:*:*:*:*
- cpe:2.3:a:microsoft:exchange_server:2016:cumulative_update_15:*:*:*:*:*:*
- cpe:2.3:a:microsoft:exchange_server:2016:cumulative_update_16:*:*:*:*:*:*
- cpe:2.3:a:microsoft:exchange_server:2016:cumulative_update_17:*:*:*:*:*:*
- cpe:2.3:a:microsoft:exchange_server:2016:cumulative_update_18:*:*:*:*:*:*
- cpe:2.3:a:microsoft:exchange_server:2016:cumulative_update_19:*:*:*:*:*:*
- cpe:2.3:a:microsoft:exchange_server:2016:cumulative_update_8:*:*:*:*:*:*
- cpe:2.3:a:microsoft:exchange_server:2016:cumulative_update_9:*:*:*:*:*:*
- cpe:2.3:a:microsoft:exchange_server:2019:-:*:*:*:*:*:*
- cpe:2.3:a:microsoft:exchange_server:2019:cumulative_update_1:*:*:*:*:*:*
- cpe:2.3:a:microsoft:exchange_server:2019:cumulative_update_2:*:*:*:*:*:*
- cpe:2.3:a:microsoft:exchange_server:2019:cumulative_update_3:*:*:*:*:*:*
- cpe:2.3:a:microsoft:exchange_server:2019:cumulative_update_4:*:*:*:*:*:*
- cpe:2.3:a:microsoft:exchange_server:2019:cumulative_update_5:*:*:*:*:*:*
- cpe:2.3:a:microsoft:exchange_server:2019:cumulative_update_6:*:*:*:*:*:*
- cpe:2.3:a:microsoft:exchange_server:2019:cumulative_update_7:*:*:*:*:*:*
- cpe:2.3:a:microsoft:exchange_server:2019:cumulative_update_8:*:*:*:*:*:*
More vulnerabilities in Microsoft Exchange Server
- CVE-2007-0213 — Critical (CVSS 10.0): Microsoft Exchange Server 2000 SP3, 2003 SP1 and SP2, and 2007 does not properly decode certain MIME encoded e-mails,…
- CVE-2004-0840 — Critical (CVSS 10.0): The SMTP (Simple Mail Transfer Protocol) component of Microsoft Windows XP 64-bit Edition, Windows Server 2003, Windows…
- CVE-2004-0574 — Critical (CVSS 10.0): The Network News Transfer Protocol (NNTP) component of Microsoft Windows NT Server 4.0, Windows 2000 Server, Windows…
- CVE-1999-0385 — Critical (CVSS 10.0): The LDAP bind function in Exchange 5.5 has a buffer overflow that allows a remote attacker to conduct a denial of…
- CVE-2024-21410 — Critical (CVSS 9.8): Microsoft Exchange Server Elevation of Privilege Vulnerability
- CVE-2023-21709 — Critical (CVSS 9.8): Microsoft Exchange Server Elevation of Privilege Vulnerability