CVE-2021-26857

What is Microsoft Exchange Unified Messaging?

Microsoft Exchange Server's Unified Messaging (UM) service integrates voicemail, fax, and telephone features with Exchange mailboxes — allowing employees to receive voicemail messages in their email inbox, access email by phone, and use auto-attendant features. The UM service runs as a Windows service with SYSTEM-level privileges on the Exchange server and processes incoming data including audio streams, fax data, and structured messages from telephony infrastructure. Because UM deserializes complex data structures from external sources, it presents a high-value deserialization attack surface: if an attacker can reach the UM service with malicious serialized data, they can achieve code execution as SYSTEM on the Exchange server — the highest privilege level on Windows.

Overview

CVE-2021-26857 is an insecure deserialization vulnerability (CWE-502) in Microsoft Exchange Server's Unified Messaging service. It is one of four vulnerabilities forming the ProxyLogon exploit chain, discovered by DEVCORE security researcher Orange Tsai and exploited as zero-days by the HAFNIUM threat group (and later many other actors) before Microsoft's emergency out-of-band patch on March 2, 2021. In the ProxyLogon chain, CVE-2021-26855 (pre-auth SSRF) provides authenticated access to Exchange as any user, and CVE-2021-26857 (UM deserialization) then delivers SYSTEM-level code execution by sending malicious serialized data to the UM service. The standalone CVSS vector (AV:L) reflects that without the SSRF bridge, direct exploitation requires local access; in the full chain, the attack is effectively unauthenticated and remote. CISA issued Emergency Directive 21-02 mandating immediate patching of federal Exchange servers.

Affected Versions

Technical Details

• Root cause: Insecure deserialization (CWE-502) in the Exchange Unified Messaging service — the UM service deserializes GZIP-compressed, untrusted data without validating that the deserialized object graph is safe; an attacker who can send crafted serialized data to the UM service triggers arbitrary code execution in the deserialization process, running as SYSTEM
• ProxyLogon chain step 2: (1) CVE-2021-26855 pre-auth SSRF → Exchange sends HTTP requests to attacker-specified endpoints, enabling authentication token theft and impersonation of any Exchange user including admin; (2) CVE-2021-26857 UM deserialization → SYSTEM code execution on the Exchange server using the authenticated channel obtained via step 1
• SYSTEM execution: The Unified Messaging service runs with SYSTEM privileges on the Exchange server; code execution via UM deserialization gives the attacker the highest privilege on the host — enabling arbitrary command execution, credential dumping (e.g., Active Directory credentials from Exchange's service account), and web shell deployment
• Concurrent file write chain: HAFNIUM and follow-on actors also paired CVE-2021-26855 with CVE-2021-26858 and CVE-2021-27065 (arbitrary file write) to deploy web shells without requiring the UM service; CVE-2021-26857 provides the SYSTEM RCE path specifically for full host compromise
• Ransomware use: Multiple ransomware groups (BlackKingdom, DearCry, LockFile) exploited ProxyLogon-compromised Exchange servers to deploy ransomware across organizations; Exchange serves as a high-privilege beachhead for spreading across the corporate network

Discovery

Discovered by Orange Tsai of DEVCORE security research firm, who reported the full ProxyLogon chain to Microsoft on January 5, 2021. Microsoft began working on a patch, but HAFNIUM (a Chinese state-sponsored threat group) began exploiting the vulnerabilities as zero-days before the patch was available — detected by Microsoft in late February 2021. Microsoft issued out-of-band emergency patches on March 2, 2021, earlier than the scheduled Patch Tuesday, to limit the exposure window. Within two weeks of patch release, tens of thousands of organizations worldwide had been compromised.

Exploitation Context

ProxyLogon became one of the most widely exploited Exchange vulnerabilities in history. HAFNIUM was the initial exploiter, targeting US defense contractors, law firms, infectious disease researchers, and NGOs — consistent with Chinese intelligence collection priorities. Within days of the public patch announcement, dozens of other threat groups (criminal and nation-state) had acquired or recreated the exploit and began mass scanning and exploitation. CISA Emergency Directive 21-02 required all federal civilian agencies to patch or disconnect vulnerable Exchange servers within five days — one of the most aggressive federal vulnerability response timelines ever issued. CVE-2021-26857's UM deserialization path provided SYSTEM access that attackers used for credential harvesting (LSASS dumps, AD data), persistent web shell deployment, and lateral movement through enterprise networks.

Remediation

1. Apply Microsoft Exchange March 2021 Security Updates (KB5000871 and related) — available for Exchange 2013, 2016, and 2019
2. If patching is not immediately possible, run Microsoft's Exchange On-Premises Mitigation Tool (one-click) or apply the manual mitigations in the MSRC advisory to block the SSRF attack vector (CVE-2021-26855), which is the prerequisite for network exploitation of CVE-2021-26857
3. Assume compromise: any Exchange server that was internet-accessible and unpatched between late February and early March 2021 should be treated as compromised — scan with Microsoft's HAFNIUM detection scripts (Test-ProxyLogon.ps1) and hunt for web shells in IIS directories
4. Search for web shells in Exchange IIS paths: C:\inetpub\wwwroot\aspnet_client\, %ExchangeInstallPath%\FrontEnd\HttpProxy\, %ExchangeInstallPath%\ClientAccess\ and subdirectories
5. Check for persistence mechanisms: new admin accounts, scheduled tasks, unexpected services, modified Exchange configuration
6. Rotate all credentials accessible from the Exchange server: Exchange service account, Active Directory accounts with mailbox access, any credentials in Exchange configuration
7. Reference CISA ED 21-02 and the associated CISA advisory AA21-062A for detailed detection and response guidance