CVE-2021-34523

CVE-2021-34523 is a critical-severity vulnerability in Microsoft Exchange Server with a CVSS 3.x base score of 9.0. It is listed in CISA's Known Exploited Vulnerabilities (KEV) catalog, confirming it has been exploited in the wild (added 2021-11-03).

Key facts

Description

Microsoft Exchange Server Elevation of Privilege Vulnerability

CVE-2021-34523: Microsoft Exchange Server Elevation of Privilege (ProxyShell)

AI-generated analysis based on the vulnerability data on this page.

Field Value
CVE CVE-2021-34523
Published 2021-07-14
Severity (CVSS v3) CRITICAL — 9.0
CVSS v3 Vector CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:N
CVSS v2 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)
EPSS 0.99987 (99.987th percentile)
KEV Yes — added 2021-11-03
EU Exploited Yes — since 2021-11-03
Assigner [email protected]

Summary

CVE-2021-34523 is an elevation-of-privilege vulnerability in Microsoft Exchange Server. It was disclosed by Microsoft on July 14, 2021, and is widely understood to be one of three flaws chained together in the "ProxyShell" attack surface (alongside CVE-2021-34473 and CVE-2021-31207). The vulnerability allows an unauthenticated attacker to gain elevated privileges on the Exchange server, enabling subsequent code execution and full mailbox access.

Background

Microsoft Exchange Server provides enterprise email, calendaring, and collaboration services. It exposes multiple web-based endpoints such as /autodiscover, /ecp, and /owa that handle client requests and internal backend proxying. Exchange has historically been a high-value target for both nation-state and financially motivated actors because it stores sensitive communications and credentials.

ProxyShell emerged as a fully unauthenticated remote exploit chain in mid-2021, leveraging flaws in the Exchange Client Access Service (CAS) frontend-to-backend communication path. CVE-2021-34523 specifically relates to the elevation-of-privilege component that allows the attacker to act as the SYSTEM or an elevated user on the backend.

Root Cause

The root cause is an improper access-control issue in the Exchange CAS component. The CWE identifier is not specified in the source data, but the flaw falls under the category of Improper Privilege Management (CWE-269) or Improper Access Control (CWE-284). The server fails to adequately validate the privileges of incoming requests before proxying them to the backend endpoints, allowing unauthenticated frontend requests to reach the backend with elevated privileges.

Impact

The CVSS v3 score is 9.0 (CRITICAL) with the following metric breakdown:

  • Confidentiality: High
  • Integrity: High
  • Availability: None
  • Scope: Changed (the vulnerable component impacts resources beyond its security scope)
  • Attack Vector: Local (per the provided CVSS:3.1 vector, though the practical exploitation path is network-accessible through the Exchange web interface)

The CVSS v2 score is 7.5 with Network attack vector, Low complexity, and No authentication required. In real-world terms, successful exploitation grants an attacker the ability to:

  • Bypass authentication on Exchange backend endpoints
  • Access mailboxes and sensitive email data
  • Escalate to remote code execution when combined with the other ProxyShell flaws
  • Maintain persistent access in an enterprise environment

Exploitation Walkthrough (Defensive Perspective)

Ethics caveat: This section describes the attack flow from a defender's point of view to aid detection and mitigation. No weaponized exploit code is provided.

  1. Reconnaissance: The attacker scans for publicly accessible Exchange servers (typically on TCP 443).
  2. Path discovery: The attacker identifies the /autodiscover or /ecp endpoints and tests for the ProxyShell vulnerability pattern.
  3. Privilege bypass: By crafting a malicious request to the frontend, the attacker causes the backend to treat the request as coming from an elevated user, effectively bypassing authentication.
  4. Chaining: With CVE-2021-34473 (pre-auth remote code execution) and CVE-2021-31207 (arbitrary file write), the attacker can write files to the Exchange web root and achieve remote code execution.
  5. Post-exploitation: The attacker may deploy web shells, exfiltrate mailbox data, or move laterally within the network.

Defenders should monitor for:

  • Unusual HTTP requests to /autodiscover, /ecp, and /owa containing anomalous headers or paths
  • Large numbers of 401 or 404 responses followed by successful 200 responses from the same source
  • Unexpected ASPX or other script files appearing in Exchange web directories

Affected and Patched Versions

Affected versions (from the provided NVD CPE data):

  • Microsoft Exchange Server 2013 — Cumulative Update 23
  • Microsoft Exchange Server 2016 — Cumulative Update 19
  • Microsoft Exchange Server 2016 — Cumulative Update 20
  • Microsoft Exchange Server 2019 — Cumulative Update 8
  • Microsoft Exchange Server 2019 — Cumulative Update 9

Patched versions: The specific patched cumulative updates are not listed in the source data. Microsoft typically addressed ProxyShell in the July 2021 security updates and subsequent cumulative updates. Administrators should apply the latest supported cumulative update for their Exchange version.

Remediation

  1. Patch immediately: Apply the latest Microsoft Exchange Server cumulative update. Ensure the July 2021 (or later) security updates are installed.
  2. Compensating controls:
    • Restrict external access to Exchange Admin Center (ECP) and Autodiscover endpoints where possible.
    • Deploy an SSL/TLS-inspecting Web Application Firewall (WAF) with rules for ProxyShell patterns.
    • Enable Microsoft Exchange Emergency Mitigation (EM) service if available in your environment.
  3. Hardening:
    • Disable unnecessary Exchange services and virtual directories.
    • Implement split DNS so that internal clients do not traverse the perimeter to reach Exchange.

Detection

  • Network signatures: Look for HTTP requests to /autodiscover/autodiscover.json or /ecp/y.js with unusual path traversal or header patterns.
  • Endpoint detection: Monitor w3wp.exe (IIS worker process) for child processes such as cmd.exe or powershell.exe originating from Exchange web directories.
  • File integrity monitoring: Alert on new .aspx files in Exchange web root folders.
  • Log correlation: Correlate IIS logs with Windows Security Event Logs (Event ID 4624) for suspicious authentication patterns.
  • Threat intelligence: Use CISA's KEV catalog and EPSS scoring to prioritize this vulnerability in your vulnerability management program.

Assessment

With an EPSS score of 0.99987 and confirmed Known Exploited Vulnerability (KEV) status since November 2021, CVE-2021-34523 represents one of the highest-probability threats in the enterprise email landscape. It was actively exploited in the wild by multiple threat actors shortly after disclosure. The EU also confirmed exploitation since November 2021.

Key lessons:

  1. Attack surface reduction matters: Publicly exposed Exchange endpoints continue to be a primary initial-access vector. Restricting access to administrative endpoints would have reduced the blast radius of ProxyShell.
  2. Patch velocity is critical: Even though patches were available in July 2021, organizations without robust patching programs remained exposed for months, leading to widespread compromises.

References

Frequently asked questions

What is CVE-2021-34523?
Microsoft Exchange Server Elevation of Privilege Vulnerability
How severe is CVE-2021-34523?
CVE-2021-34523 has a CVSS 3.x base score of 9.0, rated critical severity. It is exploitable over local access with low attack complexity, requires no privileges and no user interaction. Impact on confidentiality is high, integrity high, and availability none.
Is CVE-2021-34523 being actively exploited?
Yes. CVE-2021-34523 is on CISA's Known Exploited Vulnerabilities (KEV) catalog, added on 2021-11-03, which means active exploitation has been confirmed. It should be prioritised for remediation.
What products are affected by CVE-2021-34523?
CVE-2021-34523 primarily affects Microsoft Exchange Server. In total, 5 product configurations (CPEs) are listed as vulnerable; see the affected-products list for the exact versions.
How do I fix CVE-2021-34523?
Review the linked vendor and NVD advisories for patched versions and mitigations, then upgrade or apply the recommended workaround. Because this CVE is known to be actively exploited, treat remediation as urgent — CISA KEV typically sets a short remediation deadline.
Does CVE-2021-34523 have an EU (EUVD) identifier?
Yes. CVE-2021-34523 is tracked in the ENISA EU Vulnerability Database (EUVD) as EUVD-2021-21177. It is also flagged as exploited in the EUVD (since 2021-11-03).
When was CVE-2021-34523 published?
CVE-2021-34523 was published on 2021-07-14 and last updated on 2026-06-17.

References

Affected products (5)

More vulnerabilities in Microsoft Exchange Server

All CVEs affecting Microsoft Exchange Server →