CVE-2021-27065

CVE-2021-27065 is a high-severity vulnerability in Microsoft Exchange Server with a CVSS 3.x base score of 7.8. It is listed in CISA's Known Exploited Vulnerabilities (KEV) catalog, confirming it has been exploited in the wild (added 2021-11-03). The underlying weakness is classified as CWE-22.

Key facts

Description

Microsoft Exchange Server Remote Code Execution Vulnerability

CVE-2021-27065: Microsoft Exchange Server Path Traversal Leading to Remote Code Execution

AI-generated analysis based on the vulnerability data on this page.

Attribute Value
CVE CVE-2021-27065
CVSS v2 6.8 (AV:N/AC:M/Au:N/C:P/I:P/A:P)
CVSS v3 7.8 (AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H)
CWE CWE-22 — Improper Limitation of a Pathname to a Restricted Directory (Path Traversal)
EPSS 0.99946 (99.9th percentile)
KEV Yes (added 2021-11-03)
CISA KEV https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2021-27065

Summary

CVE-2021-27065 is a remote code execution vulnerability in Microsoft Exchange Server caused by a path traversal flaw (CWE-22). An attacker can exploit this vulnerability to write arbitrary files to the server filesystem, which can then be leveraged to achieve remote code execution. This vulnerability is part of the widely exploited ProxyLogon attack chain and has been actively used in the wild.

Background

Microsoft Exchange Server is a widely deployed email and calendaring server. In early 2021, multiple zero-day vulnerabilities in Exchange Server were discovered and exploited by threat actors. CVE-2021-27065, alongside related vulnerabilities, was leveraged in widespread attacks to compromise Exchange servers globally. The vulnerability resides in the Exchange Control Panel (ECP) component, where improper handling of file paths allows directory traversal.

Root Cause

CWE-22: Path Traversal. The vulnerability exists because the Exchange Control Panel fails to properly validate and sanitize user-supplied file paths. An attacker can supply directory traversal sequences in file path parameters to write files outside the intended directory. Because the written content is attacker-controlled and can be placed within web-accessible directories, the attacker can achieve remote code execution when the server processes the file.

Impact

  • CVSS v2: 6.8 (Network, Medium complexity, No authentication, Partial C/I/A impact)
  • CVSS v3: 7.8 — HIGH (Local attack vector, Low complexity, No privileges required, User interaction required, High confidentiality/integrity/availability impact)
  • Real-world impact: Successful exploitation enables an attacker to execute arbitrary code on the Exchange server, typically with high privileges. This can lead to complete server compromise, data theft, email access, lateral movement within the network, and deployment of persistent backdoors or ransomware. The vulnerability is classified as HIGH severity.

Exploitation Walkthrough

Ethics & Defensive Context: This section provides a conceptual overview for defenders and incident responders. No working exploit code is provided.

The exploitation of CVE-2021-27065 typically occurs as part of an attack chain:

  1. Initial Access: An attacker first obtains access to the Exchange Control Panel, often by exploiting a related server-side request forgery (SSRF) vulnerability (CVE-2021-26855) to bypass authentication.
  2. Path Traversal / File Write: The attacker crafts a request to the ECP file export or write functionality, supplying a malicious filename containing directory traversal sequences (e.g., ..\). This causes the server to write the attacker-controlled file to an arbitrary location, such as a web-accessible directory.
  3. Code Execution: The attacker subsequently requests the written file via HTTP. The server processes the file (e.g., an ASPX web shell), executing the embedded code and granting the attacker remote command execution.

Defensive teams should monitor for:

  • Unexpected ASPX or script files appearing in Exchange web directories.
  • Unusual POST requests to ECP endpoints followed by GET requests to new or unusual paths.
  • Anomalous file write activity in the Exchange server installation directory.

Affected and Patched Versions

Affected (based on vendor CPE data):

  • Microsoft Exchange Server 2013 (Cumulative Update 21, SP1)
  • Microsoft Exchange Server 2016 (Cumulative Update 8 through Cumulative Update 19)
  • Microsoft Exchange Server 2019 (RTM through Cumulative Update 8)

Patched:
Microsoft released security updates for this vulnerability in March 2021. Administrators should apply the latest cumulative update for their supported Exchange Server version. Refer to the Microsoft Security Response Center advisory for specific patch guidance.

Remediation

  1. Apply Updates: Install the latest Microsoft Exchange Server cumulative updates and security patches immediately. The March 2021 security updates specifically addressed this vulnerability.
  2. Compensating Controls: If immediate patching is not feasible:
    • Restrict external access to the Exchange Control Panel (ECP) and Outlook Web Access (OWA) to trusted networks or VPN-only connections.
    • Implement reverse proxy and WAF rules to filter malicious requests targeting Exchange endpoints.
    • Apply temporary mitigations for related authentication-bypass vulnerabilities (such as CVE-2021-26855) to reduce attack surface.
  3. Compromise Assessment: Given the high EPSS score and confirmed exploitation, any unpatched Exchange server that was internet-accessible during the exploitation window should be treated as potentially compromised. Conduct a full forensic investigation for:
    • Web shells in Exchange web directories.
    • Unauthorized mailbox access or rule modifications.
    • Suspicious process execution by the IIS worker process.

Detection

  • Endpoint Detection: Monitor for the IIS worker process (w3wp.exe) spawning unusual child processes such as cmd.exe, powershell.exe, or mshta.exe.
  • File Integrity Monitoring: Alert on new or modified .aspx, .ashx, or .dll files in Exchange web application directories.
  • Network Detection: Deploy IDS/IPS signatures to detect known ProxyLogon exploit patterns, including anomalous requests to /ecp/ endpoints with traversal sequences or unusual headers.
  • Log Analysis: Review IIS and Exchange logs for suspicious POST requests to ECP DDI service endpoints followed by GET requests to unexpected paths under web-accessible directories.

Assessment

With an EPSS score of 0.99946 (99.9th percentile) and confirmed Known Exploited Vulnerability (KEV) status since November 2021, CVE-2021-27065 is one of the most reliably exploited server vulnerabilities in recent years. The ProxyLogon attack chain was used by multiple threat actors, including APT groups and ransomware affiliates, in widespread campaigns against Exchange servers.

Key lessons:

  1. Patch internet-facing infrastructure immediately: Exchange servers are high-value targets. Security updates for critical vulnerabilities in internet-facing applications should be applied within hours, not days, when active exploitation is confirmed.
  2. Assume breach for vulnerable, exposed systems: Any Exchange server that was internet-facing and unpatched during the March–April 2021 exploitation window should be considered potentially compromised and subjected to full incident response and forensics, not simply patched and returned to service.

References

Frequently asked questions

What is CVE-2021-27065?
Microsoft Exchange Server Remote Code Execution Vulnerability
How severe is CVE-2021-27065?
CVE-2021-27065 has a CVSS 3.x base score of 7.8, rated high severity. It is exploitable over local access with low attack complexity, requires no privileges and user interaction. Impact on confidentiality is high, integrity high, and availability high.
Is CVE-2021-27065 being actively exploited?
Yes. CVE-2021-27065 is on CISA's Known Exploited Vulnerabilities (KEV) catalog, added on 2021-11-03, which means active exploitation has been confirmed. It should be prioritised for remediation.
What products are affected by CVE-2021-27065?
CVE-2021-27065 primarily affects Microsoft Exchange Server. In total, 22 product configurations (CPEs) are listed as vulnerable; see the affected-products list for the exact versions.
How do I fix CVE-2021-27065?
Review the linked vendor and NVD advisories for patched versions and mitigations, then upgrade or apply the recommended workaround. Because this CVE is known to be actively exploited, treat remediation as urgent — CISA KEV typically sets a short remediation deadline.
Does CVE-2021-27065 have an EU (EUVD) identifier?
Yes. CVE-2021-27065 is tracked in the ENISA EU Vulnerability Database (EUVD) as EUVD-2021-13836. It is also flagged as exploited in the EUVD (since 2021-11-03).
When was CVE-2021-27065 published?
CVE-2021-27065 was published on 2021-03-03 and last updated on 2026-06-17.

References

Affected products (22)

More vulnerabilities in Microsoft Exchange Server

All CVEs affecting Microsoft Exchange Server →

Other CWE-22 (Path Traversal) vulnerabilities

Browse all CWE-22 (Path Traversal) vulnerabilities →