CVE-2021-42321

CVE-2021-42321 is a high-severity vulnerability in Microsoft Exchange Server with a CVSS 3.x base score of 8.8. It is listed in CISA's Known Exploited Vulnerabilities (KEV) catalog, confirming it has been exploited in the wild (added 2021-11-17).

Key facts

Description

Microsoft Exchange Server Remote Code Execution Vulnerability

CVE-2021-42321: Microsoft Exchange Server Remote Code Execution Vulnerability

AI-generated analysis based on the vulnerability data on this page.

Field Value
CVE ID CVE-2021-42321
Published 2021-11-10
Severity (CVSS v3) HIGH — 8.8
CVSS v3 Vector CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
EPSS 90.39 % (percentile 99.79 %)
CISA KEV Added 2021-11-17
Assigner Microsoft Security Response Center

Summary

CVE-2021-42321 is a remote code execution (RCE) vulnerability affecting Microsoft Exchange Server. An attacker with low-privileged authenticated access to the target Exchange environment can exploit the flaw to execute arbitrary code on the underlying server. The vulnerability carries a CVSS v3 score of 8.8 and has been actively exploited in the wild since November 2021, as confirmed by CISA's Known Exploited Vulnerabilities catalog.

Background

Microsoft Exchange Server is a widely deployed email and calendaring platform used by enterprises and government organizations worldwide. Exchange's architecture exposes multiple web-based endpoints (e.g., ECP, EWS, Outlook Web Access) that process authenticated requests. Historically, Exchange has been a high-value target for both APT groups and commodity attackers due to its privileged position within organizational networks and its rich attack surface. CVE-2021-42321 was disclosed as part of Microsoft's November 2021 Patch Tuesday release.

Root Cause

The root cause of this vulnerability relates to improper input validation during deserialization operations within Exchange Server. Specifically, the flaw exists in the ChainedSerializationBinder class, which fails to adequately restrict the types that can be deserialized during request processing. By crafting a malicious serialized payload and submitting it through an authenticated endpoint, an attacker can trigger insecure deserialization, leading to remote code execution. The precise CWE identifier was not provided in the source data, though the behavior is consistent with CWE-502 (Deserialization of Untrusted Data).

Impact

The CVSS v3.1 vector AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H describes the impact concisely:

  • Attack Vector (AV:N): Exploitable over the network — no local access required.
  • Attack Complexity (AC:L): Low complexity; reliable exploitation has been publicly documented.
  • Privileges Required (PR:L): The attacker must possess valid credentials for any authenticated user account.
  • User Interaction (UI:N): None required; the attack can be fully automated.
  • Scope (S:U): The vulnerable component is the Exchange server itself.
  • Confidentiality, Integrity, Availability (C:H/I:H/A:H): Successful exploitation grants the attacker full control over the server, including access to all mailboxes, potential lateral movement, and full compromise of the Exchange host.

The high EPSS score (90.39 %) and KEV inclusion indicate that exploitation is not merely theoretical but has been observed in real-world attacks.

Exploitation Walkthrough

Ethics Notice: This section describes the exploitation path from a defensive and analytical perspective. No weaponized exploit code is provided. Organizations should use this information to validate detection coverage and harden controls.

  1. Reconnaissance: The attacker identifies an on-premises Exchange Server (2016 or 2019) that has not been patched against CVE-2021-42321.

  2. Authentication: The attacker obtains credentials for any valid domain user with mailbox access. These credentials may be acquired through phishing, password spraying, or purchased from underground markets.

  3. Payload Submission: Using an authenticated session, the attacker submits a crafted request to an Exchange endpoint (such as the Exchange Control Panel or a PowerShell remoting endpoint) that leverages the insecure deserialization path. The payload embeds a malicious serialized object designed to execute operating-system commands upon deserialization.

  4. Code Execution: The Exchange server processes the payload, deserializes the attacker-controlled object, and executes the embedded command under the context of the Exchange worker process (typically SYSTEM or a high-privileged service account).

  5. Post-Exploitation: With code execution achieved, the attacker may deploy webshells, dump credentials, pivot to domain controllers, or exfiltrate mailbox data.

Defenders should assume that any unpatched Exchange server with externally exposed services and valid user credentials is at imminent risk.

Affected and Patched Versions

Affected:

  • Microsoft Exchange Server 2016 — Cumulative Update 21
  • Microsoft Exchange Server 2016 — Cumulative Update 22
  • Microsoft Exchange Server 2019 — Cumulative Update 10
  • Microsoft Exchange Server 2019 — Cumulative Update 11

Patched:
Apply the corresponding security update released in Microsoft's November 2021 security update. Organizations should consult the Microsoft Security Response Center advisory to identify the exact patch builds for each supported CU.

Remediation

  1. Apply Security Updates: Install the November 2021 (or later) cumulative/security update for Exchange Server from Microsoft as the primary remediation.

  2. Compensating Controls (if patching is delayed):

    • Restrict external access to Exchange web endpoints (ECP, EWS, ActiveSync, OWA) to trusted IP ranges or VPN-only access.
    • Enforce multi-factor authentication (MFA) for all Exchange user accounts to increase the difficulty of credential compromise.
    • Enable and monitor Extended Protection for Authentication (EPA) on Exchange virtual directories where supported.
    • Apply Microsoft's Exchange Mitigation Service (EMS) or URL Rewrite rules if available for this specific vulnerability class.
  3. Upgrade Unsupported Versions: Exchange Server 2013 reached end of support and was not listed as affected here, but any older, unsupported installations should be retired or upgraded immediately.

Detection

  • Web Server Logs: Monitor IIS logs for unusual POST requests to /ecp/, /ews/, or PowerShell remoting endpoints containing large or base64-encoded payload bodies.
  • Process Telemetry: Alert on unexpected child processes spawned by w3wp.exe (IIS worker process) or Exchange-related services, especially cmd.exe, powershell.exe, or mshta.exe.
  • ETW / Sysmon: Monitor for CLR deserialization events or suspicious .NET assembly loads within the Exchange application pool.
  • Network Traffic: Look for anomalous outbound connections from Exchange servers to unexpected external hosts, which may indicate post-exploitation command-and-control activity.
  • File Integrity: Scan Exchange web directories for unexpected files (e.g., .aspx webshells) that may indicate prior compromise.

Assessment

CVE-2021-42321 is a critical-in-practice vulnerability despite its "HIGH" CVSS v3 label. The combination of network exploitability, low attack complexity, and confirmed in-the-wild exploitation (CISA KEV, EPSS > 90 %) places it among the most dangerous Exchange flaws disclosed in 2021. The attacker's only prerequisite is a valid set of credentials, a barrier that nation-state and sophisticated criminal actors routinely overcome through phishing or credential theft.

Key Lessons:

  1. Deserialization remains a top-tier risk in .NET applications. Even mature platforms like Exchange continue to face serious flaws in serialization handling, reinforcing the need for strict type controls and allow-listing in deserialization binders.
  2. Patch velocity matters. CISA added this CVE to the KEV catalog within one week of disclosure, underscoring the urgency of treating Exchange patches as incident-response timelines rather than routine maintenance.

References

Frequently asked questions

What is CVE-2021-42321?
Microsoft Exchange Server Remote Code Execution Vulnerability
How severe is CVE-2021-42321?
CVE-2021-42321 has a CVSS 3.x base score of 8.8, rated high severity. It is exploitable over network with low attack complexity, requires low privileges and no user interaction. Impact on confidentiality is high, integrity high, and availability high.
Is CVE-2021-42321 being actively exploited?
Yes. CVE-2021-42321 is on CISA's Known Exploited Vulnerabilities (KEV) catalog, added on 2021-11-17, which means active exploitation has been confirmed. It should be prioritised for remediation.
What products are affected by CVE-2021-42321?
CVE-2021-42321 primarily affects Microsoft Exchange Server. In total, 4 product configurations (CPEs) are listed as vulnerable; see the affected-products list for the exact versions.
How do I fix CVE-2021-42321?
Review the linked vendor and NVD advisories for patched versions and mitigations, then upgrade or apply the recommended workaround. Because this CVE is known to be actively exploited, treat remediation as urgent — CISA KEV typically sets a short remediation deadline.
Does CVE-2021-42321 have an EU (EUVD) identifier?
Yes. CVE-2021-42321 is tracked in the ENISA EU Vulnerability Database (EUVD) as EUVD-2021-29296. It is also flagged as exploited in the EUVD (since 2021-11-17).
When was CVE-2021-42321 published?
CVE-2021-42321 was published on 2021-11-10 and last updated on 2026-06-17.

References

Affected products (4)

More vulnerabilities in Microsoft Exchange Server

All CVEs affecting Microsoft Exchange Server →