CVE-2021-31207

CVE-2021-31207 is a medium-severity vulnerability in Microsoft Exchange Server with a CVSS 3.x base score of 6.6. It is listed in CISA's Known Exploited Vulnerabilities (KEV) catalog, confirming it has been exploited in the wild (added 2021-11-03). The underlying weakness is classified as CWE-434.

Key facts

Description

Microsoft Exchange Server Security Feature Bypass Vulnerability

CVE-2021-31207: Microsoft Exchange Server ProxyShell Security Feature Bypass (CWE-434)

AI-generated analysis based on the vulnerability data on this page.

Field Value
CVE CVE-2021-31207
CVSS v3.1 6.6 (MEDIUM) — CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H
CVSS v2 6.5 (MEDIUM) — AV:N/AC:L/Au:S/C:P/I:P/A:P
CWE CWE-434: Unrestricted Upload of File with Dangerous Type
EPSS 0.99782 (99.78% probability of exploitation; 99.95th percentile)
KEV Yes — Added to CISA KEV on 2021-11-03
Known Exploitation EU exploited since 2021-11-03 (EUVD-2021-18120); actively used in ransomware campaigns
Published 2021-05-11
Last Modified 2026-06-17

Summary

CVE-2021-31207 is a security feature bypass vulnerability in Microsoft Exchange Server. When exploited, an authenticated attacker can bypass security checks to write files to arbitrary locations on the Exchange server filesystem. In practice, this vulnerability is almost never exploited in isolation; it forms the final stage of the ProxyShell attack chain, combined with CVE-2021-34473 (SSRF) and CVE-2021-34523 (privilege escalation) to achieve unauthenticated remote code execution (RCE) against on-premises Exchange servers.

Background

Microsoft Exchange Server has long been a high-value target for both state-sponsored and financially motivated threat actors due to its privileged position in enterprise mail environments. In 2021, security researchers at Devcore discovered a trio of vulnerabilities—dubbed "ProxyShell"—that could be chained together to fully compromise an Exchange server without any valid credentials. CVE-2021-31207 specifically targets the Arbitrary File Write capability within the Exchange Autodiscover and Exchange Control Panel (ECP) endpoints, allowing an attacker who has already achieved SSRF and privilege escalation to drop a web shell or other malicious payload onto the server.

Root Cause

CWE-434: Unrestricted Upload of File with Dangerous Type

The vulnerability exists because Exchange Server does not properly validate or restrict file write operations in the context of the Autodiscover and ECP endpoints. Specifically, an authenticated request can specify an arbitrary file path for writing, bypassing intended security restrictions. The flaw is rooted in insufficient path validation and a lack of strict file-type whitelisting when processing certain backend operations. Once the attacker can write a file to a web-accessible directory—such as the Exchange front-end web root—they can execute arbitrary code via ASP.NET request handling.

Impact

  • Confidentiality Impact (HIGH): Successful exploitation can lead to full mailbox data exfiltration, including sensitive corporate communications, calendars, and contacts.
  • Integrity Impact (HIGH): Attackers can modify mail rules, inject backdoors, or tamper with server configurations.
  • Availability Impact (HIGH): Ransomware operators have leveraged this vulnerability to deploy encrypting malware, causing widespread service disruption.

Although the CVSS v3.1 base score is 6.6 (Medium), the real-world severity is critical because the vulnerability is chained with two other flaws that remove the authentication and privilege requirements. The EPSS score of 0.99782 reflects near-certain active exploitation in the wild.

Exploitation Walkthrough

⚠️ Ethics & Legal Notice: The following description is provided for defensive awareness only. Attempting to exploit systems without authorization is illegal. No weaponized exploit code is provided.

The ProxyShell attack chain proceeds as follows:

  1. SSRF via CVE-2021-34473: The attacker sends a crafted request to the Autodiscover endpoint with a manipulated X-BEResource or Cookie header, causing Exchange to perform an internal request to the attacker-controlled server. This leaks a legacy DN (Distinguished Name) and establishes an SSRF channel.
  2. Privilege Escalation via CVE-2021-34523: Using the SSRF channel, the attacker sends a request to the /powershell endpoint to obtain a valid authenticated session token with elevated privileges—effectively impersonating the SYSTEM account.
  3. Arbitrary File Write via CVE-2021-31207 (this CVE): With the elevated token, the attacker invokes an ECP endpoint that accepts a file path and content. They write an ASPX web shell (e.g., shell.aspx) to the C:\inetpub\wwwroot\owa\auth\ directory (or another web-accessible path). Accessing the shell via HTTP triggers ASP.NET execution, granting the attacker remote code execution.

Affected and Patched Versions

Affected:

  • Microsoft Exchange Server 2013 Cumulative Update 23
  • Microsoft Exchange Server 2016 Cumulative Update 19
  • Microsoft Exchange Server 2016 Cumulative Update 20
  • Microsoft Exchange Server 2019 Cumulative Update 8
  • Microsoft Exchange Server 2019 Cumulative Update 9

Patched: Apply the latest security update from Microsoft for the corresponding Exchange version. Microsoft released patches for these CUs in the May 2021 and later security updates.

Remediation

  1. Apply Security Updates: Install the latest cumulative update and security patch for your Exchange Server version from Microsoft Security Response Center.
  2. Disable Unused Endpoints: If Autodiscover or ECP are not required externally, restrict access via firewall rules or reverse-proxy configurations.
  3. Implement WAF/IPS Rules: Deploy rules to detect and block ProxyShell exploitation patterns, including anomalous X-BEResource headers and suspicious file writes.
  4. Compensating Controls:
    • Enable and enforce Multi-Factor Authentication (MFA) for all Exchange admin accounts.
    • Restrict external access to Exchange Admin Center (EAC) and PowerShell remoting.
    • Apply principle of least privilege to service accounts.

Detection

  • IIS Logs: Look for unusual requests to /autodiscover/autodiscover.json or /ecp/ endpoints with anomalous headers or unexpected HTTP 200 responses to crafted payloads.
  • File System Monitoring: Alert on new .aspx, .ashx, or .asmx files appearing in web-accessible directories (owa\auth\, ecp\, aspnet_client\).
  • Network Signatures: Monitor for outbound connections from Exchange servers to unexpected external hosts (indicative of SSRF or command-and-control).
  • EDR/XDR Rules: Detect child processes spawned by w3wp.exe (IIS worker process) or suspicious PowerShell invocations.

Assessment

CVE-2021-31207 is a textbook example of how a "medium" CVSS vulnerability becomes critical in context. In isolation, the requirement for high privileges makes this flaw seem manageable; however, when paired with the preceding ProxyShell bugs, it provides the final code-execution stage for a fully unauthenticated compromise. The EPSS and KEV data confirm that this vulnerability has been exploited at scale by ransomware affiliates and nation-state actors alike.

Key Lessons:

  1. Chain Risk: Always evaluate vulnerability severity within the broader attack surface; a "medium" flaw can be the keystone in a critical exploit chain.
  2. Patch Velocity: ProxyShell was exploited in the wild within weeks of disclosure. Organizations with slow patch cycles for on-premises infrastructure remain at disproportionate risk.

References

Frequently asked questions

What is CVE-2021-31207?
Microsoft Exchange Server Security Feature Bypass Vulnerability
How severe is CVE-2021-31207?
CVE-2021-31207 has a CVSS 3.x base score of 6.6, rated medium severity. It is exploitable over network with high attack complexity, requires high privileges and no user interaction. Impact on confidentiality is high, integrity high, and availability high.
Is CVE-2021-31207 being actively exploited?
Yes. CVE-2021-31207 is on CISA's Known Exploited Vulnerabilities (KEV) catalog, added on 2021-11-03, which means active exploitation has been confirmed. It should be prioritised for remediation.
What products are affected by CVE-2021-31207?
CVE-2021-31207 primarily affects Microsoft Exchange Server. In total, 5 product configurations (CPEs) are listed as vulnerable; see the affected-products list for the exact versions.
How do I fix CVE-2021-31207?
Review the linked vendor and NVD advisories for patched versions and mitigations, then upgrade or apply the recommended workaround. Because this CVE is known to be actively exploited, treat remediation as urgent — CISA KEV typically sets a short remediation deadline.
Does CVE-2021-31207 have an EU (EUVD) identifier?
Yes. CVE-2021-31207 is tracked in the ENISA EU Vulnerability Database (EUVD) as EUVD-2021-18120. It is also flagged as exploited in the EUVD (since 2021-11-03).
When was CVE-2021-31207 published?
CVE-2021-31207 was published on 2021-05-11 and last updated on 2026-06-17.

References

Affected products (5)

More vulnerabilities in Microsoft Exchange Server

All CVEs affecting Microsoft Exchange Server →

Other CWE-434 (Unrestricted Upload of File with Dangerous Type) vulnerabilities

Browse all CWE-434 (Unrestricted Upload of File with Dangerous Type) vulnerabilities →