CVE-2021-31207
CVE-2021-31207 is a medium-severity vulnerability in Microsoft Exchange Server with a CVSS 3.x base score of 6.6. It is listed in CISA's Known Exploited Vulnerabilities (KEV) catalog, confirming it has been exploited in the wild (added 2021-11-03). The underlying weakness is classified as CWE-434.
Key facts
- Severity: Medium (CVSS 3.x base score 6.6)
- CVSS v2: 6.5
- EPSS exploit prediction: 100% (100th percentile)
- Actively exploited: Yes — listed in CISA KEV (added 2021-11-03)
- EU (EUVD) id: EUVD-2021-18120
- EU exploitation: Flagged exploited in the ENISA EU Vulnerability Database (since 2021-11-03)
- Weakness: CWE-434
- Affected product: Microsoft Exchange Server
- Published:
- Last modified:
Description
Microsoft Exchange Server Security Feature Bypass Vulnerability
CVE-2021-31207: Microsoft Exchange Server ProxyShell Security Feature Bypass (CWE-434)
AI-generated analysis based on the vulnerability data on this page.
| Field | Value |
|---|---|
| CVE | CVE-2021-31207 |
| CVSS v3.1 | 6.6 (MEDIUM) — CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H |
| CVSS v2 | 6.5 (MEDIUM) — AV:N/AC:L/Au:S/C:P/I:P/A:P |
| CWE | CWE-434: Unrestricted Upload of File with Dangerous Type |
| EPSS | 0.99782 (99.78% probability of exploitation; 99.95th percentile) |
| KEV | Yes — Added to CISA KEV on 2021-11-03 |
| Known Exploitation | EU exploited since 2021-11-03 (EUVD-2021-18120); actively used in ransomware campaigns |
| Published | 2021-05-11 |
| Last Modified | 2026-06-17 |
Summary
CVE-2021-31207 is a security feature bypass vulnerability in Microsoft Exchange Server. When exploited, an authenticated attacker can bypass security checks to write files to arbitrary locations on the Exchange server filesystem. In practice, this vulnerability is almost never exploited in isolation; it forms the final stage of the ProxyShell attack chain, combined with CVE-2021-34473 (SSRF) and CVE-2021-34523 (privilege escalation) to achieve unauthenticated remote code execution (RCE) against on-premises Exchange servers.
Background
Microsoft Exchange Server has long been a high-value target for both state-sponsored and financially motivated threat actors due to its privileged position in enterprise mail environments. In 2021, security researchers at Devcore discovered a trio of vulnerabilities—dubbed "ProxyShell"—that could be chained together to fully compromise an Exchange server without any valid credentials. CVE-2021-31207 specifically targets the Arbitrary File Write capability within the Exchange Autodiscover and Exchange Control Panel (ECP) endpoints, allowing an attacker who has already achieved SSRF and privilege escalation to drop a web shell or other malicious payload onto the server.
Root Cause
CWE-434: Unrestricted Upload of File with Dangerous Type
The vulnerability exists because Exchange Server does not properly validate or restrict file write operations in the context of the Autodiscover and ECP endpoints. Specifically, an authenticated request can specify an arbitrary file path for writing, bypassing intended security restrictions. The flaw is rooted in insufficient path validation and a lack of strict file-type whitelisting when processing certain backend operations. Once the attacker can write a file to a web-accessible directory—such as the Exchange front-end web root—they can execute arbitrary code via ASP.NET request handling.
Impact
- Confidentiality Impact (HIGH): Successful exploitation can lead to full mailbox data exfiltration, including sensitive corporate communications, calendars, and contacts.
- Integrity Impact (HIGH): Attackers can modify mail rules, inject backdoors, or tamper with server configurations.
- Availability Impact (HIGH): Ransomware operators have leveraged this vulnerability to deploy encrypting malware, causing widespread service disruption.
Although the CVSS v3.1 base score is 6.6 (Medium), the real-world severity is critical because the vulnerability is chained with two other flaws that remove the authentication and privilege requirements. The EPSS score of 0.99782 reflects near-certain active exploitation in the wild.
Exploitation Walkthrough
⚠️ Ethics & Legal Notice: The following description is provided for defensive awareness only. Attempting to exploit systems without authorization is illegal. No weaponized exploit code is provided.
The ProxyShell attack chain proceeds as follows:
- SSRF via CVE-2021-34473: The attacker sends a crafted request to the Autodiscover endpoint with a manipulated
X-BEResourceorCookieheader, causing Exchange to perform an internal request to the attacker-controlled server. This leaks a legacy DN (Distinguished Name) and establishes an SSRF channel. - Privilege Escalation via CVE-2021-34523: Using the SSRF channel, the attacker sends a request to the
/powershellendpoint to obtain a valid authenticated session token with elevated privileges—effectively impersonating the SYSTEM account. - Arbitrary File Write via CVE-2021-31207 (this CVE): With the elevated token, the attacker invokes an ECP endpoint that accepts a file path and content. They write an ASPX web shell (e.g.,
shell.aspx) to theC:\inetpub\wwwroot\owa\auth\directory (or another web-accessible path). Accessing the shell via HTTP triggers ASP.NET execution, granting the attacker remote code execution.
Affected and Patched Versions
Affected:
- Microsoft Exchange Server 2013 Cumulative Update 23
- Microsoft Exchange Server 2016 Cumulative Update 19
- Microsoft Exchange Server 2016 Cumulative Update 20
- Microsoft Exchange Server 2019 Cumulative Update 8
- Microsoft Exchange Server 2019 Cumulative Update 9
Patched: Apply the latest security update from Microsoft for the corresponding Exchange version. Microsoft released patches for these CUs in the May 2021 and later security updates.
Remediation
- Apply Security Updates: Install the latest cumulative update and security patch for your Exchange Server version from Microsoft Security Response Center.
- Disable Unused Endpoints: If Autodiscover or ECP are not required externally, restrict access via firewall rules or reverse-proxy configurations.
- Implement WAF/IPS Rules: Deploy rules to detect and block ProxyShell exploitation patterns, including anomalous
X-BEResourceheaders and suspicious file writes. - Compensating Controls:
- Enable and enforce Multi-Factor Authentication (MFA) for all Exchange admin accounts.
- Restrict external access to Exchange Admin Center (EAC) and PowerShell remoting.
- Apply principle of least privilege to service accounts.
Detection
- IIS Logs: Look for unusual requests to
/autodiscover/autodiscover.jsonor/ecp/endpoints with anomalous headers or unexpected HTTP 200 responses to crafted payloads. - File System Monitoring: Alert on new
.aspx,.ashx, or.asmxfiles appearing in web-accessible directories (owa\auth\,ecp\,aspnet_client\). - Network Signatures: Monitor for outbound connections from Exchange servers to unexpected external hosts (indicative of SSRF or command-and-control).
- EDR/XDR Rules: Detect child processes spawned by
w3wp.exe(IIS worker process) or suspicious PowerShell invocations.
Assessment
CVE-2021-31207 is a textbook example of how a "medium" CVSS vulnerability becomes critical in context. In isolation, the requirement for high privileges makes this flaw seem manageable; however, when paired with the preceding ProxyShell bugs, it provides the final code-execution stage for a fully unauthenticated compromise. The EPSS and KEV data confirm that this vulnerability has been exploited at scale by ransomware affiliates and nation-state actors alike.
Key Lessons:
- Chain Risk: Always evaluate vulnerability severity within the broader attack surface; a "medium" flaw can be the keystone in a critical exploit chain.
- Patch Velocity: ProxyShell was exploited in the wild within weeks of disclosure. Organizations with slow patch cycles for on-premises infrastructure remain at disproportionate risk.
References
Frequently asked questions
- What is CVE-2021-31207?
- Microsoft Exchange Server Security Feature Bypass Vulnerability
- How severe is CVE-2021-31207?
- CVE-2021-31207 has a CVSS 3.x base score of 6.6, rated medium severity. It is exploitable over network with high attack complexity, requires high privileges and no user interaction. Impact on confidentiality is high, integrity high, and availability high.
- Is CVE-2021-31207 being actively exploited?
- Yes. CVE-2021-31207 is on CISA's Known Exploited Vulnerabilities (KEV) catalog, added on 2021-11-03, which means active exploitation has been confirmed. It should be prioritised for remediation.
- What products are affected by CVE-2021-31207?
- CVE-2021-31207 primarily affects Microsoft Exchange Server. In total, 5 product configurations (CPEs) are listed as vulnerable; see the affected-products list for the exact versions.
- How do I fix CVE-2021-31207?
- Review the linked vendor and NVD advisories for patched versions and mitigations, then upgrade or apply the recommended workaround. Because this CVE is known to be actively exploited, treat remediation as urgent — CISA KEV typically sets a short remediation deadline.
- Does CVE-2021-31207 have an EU (EUVD) identifier?
- Yes. CVE-2021-31207 is tracked in the ENISA EU Vulnerability Database (EUVD) as EUVD-2021-18120. It is also flagged as exploited in the EUVD (since 2021-11-03).
- When was CVE-2021-31207 published?
- CVE-2021-31207 was published on 2021-05-11 and last updated on 2026-06-17.
References
- http://packetstormsecurity.com/files/163895/Microsoft-Exchange-ProxyShell-Remote-Code-Execution.html
- https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-31207
- https://www.zerodayinitiative.com/advisories/ZDI-21-819/
- https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2021-31207
Affected products (5)
- cpe:2.3:a:microsoft:exchange_server:2013:cumulative_update_23:*:*:*:*:*:*
- cpe:2.3:a:microsoft:exchange_server:2016:cumulative_update_19:*:*:*:*:*:*
- cpe:2.3:a:microsoft:exchange_server:2016:cumulative_update_20:*:*:*:*:*:*
- cpe:2.3:a:microsoft:exchange_server:2019:cumulative_update_8:*:*:*:*:*:*
- cpe:2.3:a:microsoft:exchange_server:2019:cumulative_update_9:*:*:*:*:*:*
More vulnerabilities in Microsoft Exchange Server
- CVE-2007-0213 — Critical (CVSS 10.0): Microsoft Exchange Server 2000 SP3, 2003 SP1 and SP2, and 2007 does not properly decode certain MIME encoded e-mails,…
- CVE-2004-0840 — Critical (CVSS 10.0): The SMTP (Simple Mail Transfer Protocol) component of Microsoft Windows XP 64-bit Edition, Windows Server 2003, Windows…
- CVE-2004-0574 — Critical (CVSS 10.0): The Network News Transfer Protocol (NNTP) component of Microsoft Windows NT Server 4.0, Windows 2000 Server, Windows…
- CVE-1999-0385 — Critical (CVSS 10.0): The LDAP bind function in Exchange 5.5 has a buffer overflow that allows a remote attacker to conduct a denial of…
- CVE-2024-21410 — Critical (CVSS 9.8): Microsoft Exchange Server Elevation of Privilege Vulnerability
- CVE-2023-21709 — Critical (CVSS 9.8): Microsoft Exchange Server Elevation of Privilege Vulnerability
All CVEs affecting Microsoft Exchange Server →
Other CWE-434 (Unrestricted Upload of File with Dangerous Type) vulnerabilities
- CVE-2026-48283 — Critical (CVSS 10.0): ColdFusion versions 2025.9, 2023.20 and earlier are affected by an Unrestricted Upload of File with Dangerous Type…
- CVE-2026-48276 — Critical (CVSS 10.0): ColdFusion versions 2025.9, 2023.20 and earlier are affected by an Unrestricted Upload of File with Dangerous Type…
- CVE-2026-57700 — Critical (CVSS 10.0): Unrestricted Upload of File with Dangerous Type vulnerability in Daan.Dev OMGF Pro allows Using Malicious Files. This…
- CVE-2025-69129 — Critical (CVSS 10.0): Unauthenticated Arbitrary File Upload in WordPress & WooCommerce Scraper Plugin, Import Data from Any Site <= 1.0.7…
- CVE-2026-40772 — Critical (CVSS 10.0): Unauthenticated Arbitrary File Upload in GeekyBot <= 1.2.2 versions.
- CVE-2026-40412 — Critical (CVSS 10.0): Unrestricted upload of file with dangerous type in Azure Orbital Spatio allows an unauthorized attacker to execute code…
Browse all CWE-434 (Unrestricted Upload of File with Dangerous Type) vulnerabilities →