CVE-2021-26855

Microsoft Exchange Server 'ProxyLogon' — SSRF Authentication Bypass Enables Pre-Auth RCE; Exploited as Zero-Day by HAFNIUM
🔥 CVSS 3.1  9.1 / 10 — CRITICAL 🔴 CISA Known Exploited Vulnerability

Overview

Actively Exploited. This vulnerability has been added to CISA's Known Exploited Vulnerabilities (KEV) Catalog on November 3, 2021. Federal agencies are required to apply mitigations per BOD 22-01.

CVE-2021-26855, the first link in the "ProxyLogon" exploit chain, is a Server-Side Request Forgery (SSRF) vulnerability in Microsoft Exchange Server that allows an unauthenticated attacker to bypass authentication entirely by sending crafted HTTP requests that the Exchange back-end processes as if they originate from the Exchange server itself. Combined with CVE-2021-27065 (post-auth arbitrary file write), the chain delivers unauthenticated remote code execution on any internet-facing Exchange server running a vulnerable version.

The vulnerability was discovered by Orange Tsai (Tsai Chi-Yu) of Devcore and reported to Microsoft on January 5, 2021. Unbeknownst to Microsoft, Chinese state-sponsored group HAFNIUM and at least six other threat actor groups had independently discovered and were actively exploiting it as a zero-day before the patch was released. By the time Microsoft issued the emergency patch on March 2, 2021, tens of thousands of Exchange servers had already been compromised.

What Is Microsoft Exchange Server?

Microsoft Exchange Server is the dominant enterprise email and calendaring platform, deployed on-premises by governments, corporations, banks, hospitals, and law firms worldwide. Internet-facing Exchange servers expose several HTTPS endpoints for external email clients (OWA, EAS, ECP, Autodiscover) — making them permanently internet-accessible and high-value targets. Compromise of an Exchange server typically yields access to all email, calendars, and contacts for every user in the organization.

Affected Versions

Exchange Version Vulnerable Fixed Version / CU
Exchange Server 2013 CU23 Yes CU23 + Security Update March 2021
Exchange Server 2016 CU18 / CU19 Yes CU19 + SU, or CU20
Exchange Server 2019 CU7 / CU8 Yes CU8 + SU, or CU9
Exchange Online (Office 365) Not affected Cloud-hosted; patched by Microsoft

Exchange 2010 received a separate Defense-in-Depth update. Only on-premises Exchange deployments were vulnerable.

Technical Details

Root Cause: SSRF in Exchange Backend Proxy

Exchange Server's architecture separates a front-end proxy (Client Access Services) from multiple back-end services. The front-end proxy is responsible for routing and authentication. CVE-2021-26855 is an SSRF in the front-end's request handling for the Exchange Control Panel (ECP) and Autodiscover endpoints.

An attacker sends a crafted HTTP request with a specific cookie (X-AnonResource-Backend) that instructs the Exchange front-end proxy to forward the request to an attacker-specified back-end URL. When the proxy forwards the request to the Exchange back-end (on localhost), the back-end server receives it as a trusted internal request — bypassing all front-end authentication checks.

The attacker effectively impersonates any Exchange user, including administrators, by crafting requests that the back-end processes with the spoofed identity.

The ProxyLogon Chain: SSRF + File Write = RCE

CVE-2021-26855 alone gives authentication bypass and authenticated access to any Exchange mailbox. To achieve RCE, it is chained with:

  • CVE-2021-27065 — A post-authentication arbitrary file write vulnerability in Exchange's ECP component. An authenticated request (enabled by the SSRF bypass) can write arbitrary files to any path on the Exchange server. Attackers write ASPX webshells to the Exchange web root.

Full exploit chain:

  1. Use CVE-2021-26855 SSRF to authenticate as any Exchange user (typically NT AUTHORITY\SYSTEM or an admin account).
  2. Use the authenticated session to call the ECP endpoint vulnerable to CVE-2021-27065.
  3. Write an ASPX webshell (e.g., China Chopper) to a web-accessible directory on the Exchange server.
  4. Access the webshell via HTTPS to execute OS commands as SYSTEM.

Attack Characteristics

Attribute Detail
Attack Vector Network — Exchange HTTPS port (443)
Authentication Required None — SSRF bypasses all authentication
Chain Required for RCE Yes — CVE-2021-26855 + CVE-2021-27065
Code Execution Privilege SYSTEM — Exchange runs as a highly privileged account
Webshell Type ASPX (commonly China Chopper, custom variants)

Discovery

Orange Tsai (Tsai Chi-Yu) of Devcore discovered the ProxyLogon vulnerability chain as part of a research project studying Exchange's proxy architecture. He reported it to Microsoft on January 5, 2021, 58 days before the patch. During that window, HAFNIUM and at least six other threat actor groups were independently exploiting the same vulnerability as a zero-day — suggesting the vulnerability was known to multiple sophisticated actors before Devcore's research. Microsoft later confirmed that exploitation had begun no later than January 6, 2021.

Exploitation Context

The ProxyLogon disclosure triggered one of the largest coordinated emergency patching efforts for on-premises infrastructure in history:

  • Zero-day exploitation by 7+ threat groups before the patch, including HAFNIUM (attributed to China), Tick, LuckyMouse, Calypso, Winnti Group, Tonto Team, and Mikroceen
  • HAFNIUM's targets: U.S. law firms, defense contractors, infectious disease researchers, policy think tanks, and NGOs
  • Scale of compromise: Microsoft estimated hundreds of thousands of Exchange servers were vulnerable; CISA reported tens of thousands of US organizations compromised by the time the patch was released
  • Webshell persistence: Even organizations that patched quickly had often already been backdoored via ASPX webshells that persisted after patching
  • Ransomware use: DearCry ransomware was observed deployed via ProxyLogon webshells within days of patch release; multiple subsequent ransomware groups used ProxyLogon for initial access
  • CISA ED 21-02: Issued March 3, 2021, requiring federal agencies to patch within 48 hours or disconnect Exchange servers — one of CISA's most urgent-ever directives

Remediation

CISA BOD 22-01 Deadline: May 3, 2022. Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.

Recommended Actions

  1. Apply the March 2021 Exchange Security Update immediately. All supported Exchange 2013/2016/2019 Cumulative Update levels received patches.

  2. Hunt for webshells — the patch does not remove backdoors already installed. Search the Exchange web root for unexpected ASPX files:

    C:\inetpub\wwwroot\aspnet_client\
C:\Program Files\Microsoft\Exchange Server\V15\FrontEnd\HttpProxy\

    Microsoft's one-click mitigation tool and the Exchange On-Premises Mitigation Tool (EOMT) can assist.

  3. Review IIS logs for exploitation indicators — look for POST requests to /ecp/ with unusual parameters or from unexpected source IPs in the period before patching.

  4. Rotate credentials — Exchange SYSTEM access means all credentials cached or processed by Exchange (service accounts, admin passwords in email) should be considered compromised.

  5. Migrate to Exchange Online — on-premises Exchange requires ongoing patching of a complex, internet-facing attack surface. Microsoft 365 / Exchange Online removes this exposure entirely.

Key Details

PropertyValue
CVE ID CVE-2021-26855
Vendor / Product Microsoft — Exchange Server
NVD Published2021-03-03
NVD Last Modified2025-12-18
CVSS 3.1 Score9.1
CVSS 3.1 VectorCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
SeverityCRITICAL
CWE CWE-918 — Server-Side Request Forgery (SSRF)
CISA KEV Added2021-11-03
CISA KEV Deadline2022-05-03
Known Ransomware Use ⚠️ Yes

CVSS 3.1 Breakdown

Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
None

Required Action

CISA BOD 22-01 Deadline: 2022-05-03. Apply updates per vendor instructions.

Timeline

DateEvent
2021-01-05Orange Tsai (Devcore) reports ProxyLogon to Microsoft Security Response Center
2021-01-06HAFNIUM begins exploiting CVE-2021-26855 as a zero-day; at least six other threat groups independently discover and exploit the vulnerability
2021-03-02Microsoft releases emergency out-of-band patches for Exchange 2013/2016/2019; HAFNIUM disclosure published
2021-03-03CVE-2021-26855 published; CISA Emergency Directive ED 21-02 issued (48-hour patch deadline for federal agencies)
2021-03-12Microsoft releases one-click mitigation tool; CISA reports tens of thousands of US organizations compromised
2021-11-03Added to CISA Known Exploited Vulnerabilities catalog
2022-05-03CISA BOD 22-01 remediation deadline

References

ResourceType
NVD — CVE-2021-26855 Vulnerability Database
CISA KEV Catalog Entry US Government
Microsoft Security Response Center — CVE-2021-26855 Vendor Advisory
Microsoft MSTIC: HAFNIUM Targeting Exchange Servers with 0-Day Exploits Security Research
Orange Tsai: ProxyLogon — A New Attack Surface on MS Exchange (Devcore) Security Research
ProxyLogon PoC — RickGeex Security Research
CISA Emergency Directive ED 21-02 — Mitigate Microsoft Exchange On-Premises Vulnerabilities US Government
CWE-918 — Server-Side Request Forgery (SSRF) Weakness Classification

Last updated: 2026-05-01

Gavin Hollinger & AI assembled this air-gap friendly HTML