CVE-2021-27065
CVE-2021-27065 is a high-severity vulnerability in Microsoft Exchange Server with a CVSS 3.x base score of 7.8. It is listed in CISA's Known Exploited Vulnerabilities (KEV) catalog, confirming it has been exploited in the wild (added 2021-11-03). The underlying weakness is classified as CWE-22.
Key facts
- Severity: High (CVSS 3.x base score 7.8)
- CVSS v2: 6.8
- EPSS exploit prediction: 100% (100th percentile)
- Actively exploited: Yes — listed in CISA KEV (added 2021-11-03)
- EU (EUVD) id: EUVD-2021-13836
- EU exploitation: Flagged exploited in the ENISA EU Vulnerability Database (since 2021-11-03)
- Weakness: CWE-22
- Affected product: Microsoft Exchange Server
- Published:
- Last modified:
Description
Microsoft Exchange Server Remote Code Execution Vulnerability
CVE-2021-27065: Microsoft Exchange Server Path Traversal Leading to Remote Code Execution
AI-generated analysis based on the vulnerability data on this page.
| Attribute | Value |
|---|---|
| CVE | CVE-2021-27065 |
| CVSS v2 | 6.8 (AV:N/AC:M/Au:N/C:P/I:P/A:P) |
| CVSS v3 | 7.8 (AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H) |
| CWE | CWE-22 — Improper Limitation of a Pathname to a Restricted Directory (Path Traversal) |
| EPSS | 0.99946 (99.9th percentile) |
| KEV | Yes (added 2021-11-03) |
| CISA KEV | https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2021-27065 |
Summary
CVE-2021-27065 is a remote code execution vulnerability in Microsoft Exchange Server caused by a path traversal flaw (CWE-22). An attacker can exploit this vulnerability to write arbitrary files to the server filesystem, which can then be leveraged to achieve remote code execution. This vulnerability is part of the widely exploited ProxyLogon attack chain and has been actively used in the wild.
Background
Microsoft Exchange Server is a widely deployed email and calendaring server. In early 2021, multiple zero-day vulnerabilities in Exchange Server were discovered and exploited by threat actors. CVE-2021-27065, alongside related vulnerabilities, was leveraged in widespread attacks to compromise Exchange servers globally. The vulnerability resides in the Exchange Control Panel (ECP) component, where improper handling of file paths allows directory traversal.
Root Cause
CWE-22: Path Traversal. The vulnerability exists because the Exchange Control Panel fails to properly validate and sanitize user-supplied file paths. An attacker can supply directory traversal sequences in file path parameters to write files outside the intended directory. Because the written content is attacker-controlled and can be placed within web-accessible directories, the attacker can achieve remote code execution when the server processes the file.
Impact
- CVSS v2: 6.8 (Network, Medium complexity, No authentication, Partial C/I/A impact)
- CVSS v3: 7.8 — HIGH (Local attack vector, Low complexity, No privileges required, User interaction required, High confidentiality/integrity/availability impact)
- Real-world impact: Successful exploitation enables an attacker to execute arbitrary code on the Exchange server, typically with high privileges. This can lead to complete server compromise, data theft, email access, lateral movement within the network, and deployment of persistent backdoors or ransomware. The vulnerability is classified as HIGH severity.
Exploitation Walkthrough
Ethics & Defensive Context: This section provides a conceptual overview for defenders and incident responders. No working exploit code is provided.
The exploitation of CVE-2021-27065 typically occurs as part of an attack chain:
- Initial Access: An attacker first obtains access to the Exchange Control Panel, often by exploiting a related server-side request forgery (SSRF) vulnerability (CVE-2021-26855) to bypass authentication.
- Path Traversal / File Write: The attacker crafts a request to the ECP file export or write functionality, supplying a malicious filename containing directory traversal sequences (e.g.,
..\). This causes the server to write the attacker-controlled file to an arbitrary location, such as a web-accessible directory. - Code Execution: The attacker subsequently requests the written file via HTTP. The server processes the file (e.g., an ASPX web shell), executing the embedded code and granting the attacker remote command execution.
Defensive teams should monitor for:
- Unexpected ASPX or script files appearing in Exchange web directories.
- Unusual POST requests to ECP endpoints followed by GET requests to new or unusual paths.
- Anomalous file write activity in the Exchange server installation directory.
Affected and Patched Versions
Affected (based on vendor CPE data):
- Microsoft Exchange Server 2013 (Cumulative Update 21, SP1)
- Microsoft Exchange Server 2016 (Cumulative Update 8 through Cumulative Update 19)
- Microsoft Exchange Server 2019 (RTM through Cumulative Update 8)
Patched:
Microsoft released security updates for this vulnerability in March 2021. Administrators should apply the latest cumulative update for their supported Exchange Server version. Refer to the Microsoft Security Response Center advisory for specific patch guidance.
Remediation
- Apply Updates: Install the latest Microsoft Exchange Server cumulative updates and security patches immediately. The March 2021 security updates specifically addressed this vulnerability.
- Compensating Controls: If immediate patching is not feasible:
- Restrict external access to the Exchange Control Panel (ECP) and Outlook Web Access (OWA) to trusted networks or VPN-only connections.
- Implement reverse proxy and WAF rules to filter malicious requests targeting Exchange endpoints.
- Apply temporary mitigations for related authentication-bypass vulnerabilities (such as CVE-2021-26855) to reduce attack surface.
- Compromise Assessment: Given the high EPSS score and confirmed exploitation, any unpatched Exchange server that was internet-accessible during the exploitation window should be treated as potentially compromised. Conduct a full forensic investigation for:
- Web shells in Exchange web directories.
- Unauthorized mailbox access or rule modifications.
- Suspicious process execution by the IIS worker process.
Detection
- Endpoint Detection: Monitor for the IIS worker process (
w3wp.exe) spawning unusual child processes such ascmd.exe,powershell.exe, ormshta.exe. - File Integrity Monitoring: Alert on new or modified
.aspx,.ashx, or.dllfiles in Exchange web application directories. - Network Detection: Deploy IDS/IPS signatures to detect known ProxyLogon exploit patterns, including anomalous requests to
/ecp/endpoints with traversal sequences or unusual headers. - Log Analysis: Review IIS and Exchange logs for suspicious
POSTrequests to ECP DDI service endpoints followed byGETrequests to unexpected paths under web-accessible directories.
Assessment
With an EPSS score of 0.99946 (99.9th percentile) and confirmed Known Exploited Vulnerability (KEV) status since November 2021, CVE-2021-27065 is one of the most reliably exploited server vulnerabilities in recent years. The ProxyLogon attack chain was used by multiple threat actors, including APT groups and ransomware affiliates, in widespread campaigns against Exchange servers.
Key lessons:
- Patch internet-facing infrastructure immediately: Exchange servers are high-value targets. Security updates for critical vulnerabilities in internet-facing applications should be applied within hours, not days, when active exploitation is confirmed.
- Assume breach for vulnerable, exposed systems: Any Exchange server that was internet-facing and unpatched during the March–April 2021 exploitation window should be considered potentially compromised and subjected to full incident response and forensics, not simply patched and returned to service.
References
- http://packetstormsecurity.com/files/161938/Microsoft-Exchange-ProxyLogon-Remote-Code-Execution.html
- http://packetstormsecurity.com/files/162736/Microsoft-Exchange-ProxyLogon-Collector.html
- https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-27065
- https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2021-27065
Frequently asked questions
- What is CVE-2021-27065?
- Microsoft Exchange Server Remote Code Execution Vulnerability
- How severe is CVE-2021-27065?
- CVE-2021-27065 has a CVSS 3.x base score of 7.8, rated high severity. It is exploitable over local access with low attack complexity, requires no privileges and user interaction. Impact on confidentiality is high, integrity high, and availability high.
- Is CVE-2021-27065 being actively exploited?
- Yes. CVE-2021-27065 is on CISA's Known Exploited Vulnerabilities (KEV) catalog, added on 2021-11-03, which means active exploitation has been confirmed. It should be prioritised for remediation.
- What products are affected by CVE-2021-27065?
- CVE-2021-27065 primarily affects Microsoft Exchange Server. In total, 22 product configurations (CPEs) are listed as vulnerable; see the affected-products list for the exact versions.
- How do I fix CVE-2021-27065?
- Review the linked vendor and NVD advisories for patched versions and mitigations, then upgrade or apply the recommended workaround. Because this CVE is known to be actively exploited, treat remediation as urgent — CISA KEV typically sets a short remediation deadline.
- Does CVE-2021-27065 have an EU (EUVD) identifier?
- Yes. CVE-2021-27065 is tracked in the ENISA EU Vulnerability Database (EUVD) as EUVD-2021-13836. It is also flagged as exploited in the EUVD (since 2021-11-03).
- When was CVE-2021-27065 published?
- CVE-2021-27065 was published on 2021-03-03 and last updated on 2026-06-17.
References
- http://packetstormsecurity.com/files/161938/Microsoft-Exchange-ProxyLogon-Remote-Code-Execution.html
- http://packetstormsecurity.com/files/162736/Microsoft-Exchange-ProxyLogon-Collector.html
- https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-27065
- https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2021-27065
Affected products (22)
- cpe:2.3:a:microsoft:exchange_server:2013:cumulative_update_21:*:*:*:*:*:*
- cpe:2.3:a:microsoft:exchange_server:2013:sp1:*:*:*:*:*:*
- cpe:2.3:a:microsoft:exchange_server:2016:cumulative_update_10:*:*:*:*:*:*
- cpe:2.3:a:microsoft:exchange_server:2016:cumulative_update_11:*:*:*:*:*:*
- cpe:2.3:a:microsoft:exchange_server:2016:cumulative_update_12:*:*:*:*:*:*
- cpe:2.3:a:microsoft:exchange_server:2016:cumulative_update_13:*:*:*:*:*:*
- cpe:2.3:a:microsoft:exchange_server:2016:cumulative_update_14:*:*:*:*:*:*
- cpe:2.3:a:microsoft:exchange_server:2016:cumulative_update_15:*:*:*:*:*:*
- cpe:2.3:a:microsoft:exchange_server:2016:cumulative_update_16:*:*:*:*:*:*
- cpe:2.3:a:microsoft:exchange_server:2016:cumulative_update_17:*:*:*:*:*:*
- cpe:2.3:a:microsoft:exchange_server:2016:cumulative_update_18:*:*:*:*:*:*
- cpe:2.3:a:microsoft:exchange_server:2016:cumulative_update_19:*:*:*:*:*:*
- cpe:2.3:a:microsoft:exchange_server:2016:cumulative_update_8:*:*:*:*:*:*
- cpe:2.3:a:microsoft:exchange_server:2019:-:*:*:*:*:*:*
- cpe:2.3:a:microsoft:exchange_server:2019:cumulative_update_1:*:*:*:*:*:*
- cpe:2.3:a:microsoft:exchange_server:2019:cumulative_update_2:*:*:*:*:*:*
- cpe:2.3:a:microsoft:exchange_server:2019:cumulative_update_3:*:*:*:*:*:*
- cpe:2.3:a:microsoft:exchange_server:2019:cumulative_update_4:*:*:*:*:*:*
- cpe:2.3:a:microsoft:exchange_server:2019:cumulative_update_5:*:*:*:*:*:*
- cpe:2.3:a:microsoft:exchange_server:2019:cumulative_update_6:*:*:*:*:*:*
- cpe:2.3:a:microsoft:exchange_server:2019:cumulative_update_7:*:*:*:*:*:*
- cpe:2.3:a:microsoft:exchange_server:2019:cumulative_update_8:*:*:*:*:*:*
More vulnerabilities in Microsoft Exchange Server
- CVE-2007-0213 — Critical (CVSS 10.0): Microsoft Exchange Server 2000 SP3, 2003 SP1 and SP2, and 2007 does not properly decode certain MIME encoded e-mails,…
- CVE-2004-0840 — Critical (CVSS 10.0): The SMTP (Simple Mail Transfer Protocol) component of Microsoft Windows XP 64-bit Edition, Windows Server 2003, Windows…
- CVE-2004-0574 — Critical (CVSS 10.0): The Network News Transfer Protocol (NNTP) component of Microsoft Windows NT Server 4.0, Windows 2000 Server, Windows…
- CVE-1999-0385 — Critical (CVSS 10.0): The LDAP bind function in Exchange 5.5 has a buffer overflow that allows a remote attacker to conduct a denial of…
- CVE-2024-21410 — Critical (CVSS 9.8): Microsoft Exchange Server Elevation of Privilege Vulnerability
- CVE-2023-21709 — Critical (CVSS 9.8): Microsoft Exchange Server Elevation of Privilege Vulnerability
All CVEs affecting Microsoft Exchange Server →
Other CWE-22 (Path Traversal) vulnerabilities
- CVE-2026-48282 — Critical (CVSS 10.0): ColdFusion versions 2025.9, 2023.20 and earlier are affected by an Improper Limitation of a Pathname to a Restricted…
- CVE-2026-54917 — Critical (CVSS 10.0): SeaweedFS is a distributed storage system for object storage (S3), file systems, and Iceberg tables. Prior to 4.30, the…
- CVE-2026-11429 — Critical (CVSS 10.0): Two endpoints in the Vault Service ScriptsController, shared by Altium Enterprise Server and Altium 365, accept file…
- CVE-2026-34909 — Critical (CVSS 10.0): A malicious actor with access to the network could exploit a Path Traversal vulnerability found in UniFi OS devices to…
- CVE-2026-7411 — Critical (CVSS 10.0): In Eclipse BaSyx Java Server SDK versions prior to 2.0.0-milestone-10, inadequate path normalization in the Submodel…
- CVE-2026-36767 — Critical (CVSS 10.0): A path traversal vulnerability in the /content/images/add endpoint of shopizer v3.2.5 allows attackers write arbitrary…