CVE-2021-26858

What is Exchange's Post-Authentication File Write Surface?

Microsoft Exchange Server hosts multiple web-accessible services (OWA, ECP, ActiveSync, Autodiscover, EWS) under IIS, and processes authenticated requests that in some cases write temporary or persistent files to the Exchange server filesystem. Exchange's privileged service account runs IIS application pools that have write access to Exchange installation directories and the IIS web root — necessary for Exchange's legitimate operations. Vulnerabilities that allow an authenticated Exchange user to write arbitrary content to attacker-specified file paths on the Exchange server can be used to deploy ASP.NET web shells: files that, when placed in an IIS-accessible directory, give the attacker an HTTP-accessible remote code execution interface that persists indefinitely.

Overview

CVE-2021-26858 is a post-authentication arbitrary file write vulnerability in Microsoft Exchange Server. After obtaining authentication (in the ProxyLogon chain, via CVE-2021-26855's SSRF authentication bypass), an attacker can write arbitrary files to any path on the Exchange server filesystem. The primary exploitation pattern was writing ASP.NET web shells to IIS-accessible directories — giving the attacker persistent remote code execution on the Exchange server via HTTP requests to the web shell. CVE-2021-26858 is one of the two file write vulnerabilities in the ProxyLogon cluster (alongside CVE-2021-27065), both of which were chained with CVE-2021-26855 by HAFNIUM and dozens of subsequent threat groups. CISA Emergency Directive 21-02 required immediate patching.

Affected Versions

Technical Details

• Root cause: Post-authentication arbitrary file write — an authenticated Exchange endpoint accepts attacker-controlled input including a target file path and file contents, and writes that data to the Exchange server filesystem without restricting the destination path; the Exchange service account's write access to IIS web directories makes this directly exploitable for web shell deployment
• ProxyLogon chain: (1) CVE-2021-26855 (pre-auth SSRF) → steal Exchange admin session cookie, authenticate as any user; (2) CVE-2021-26858 (post-auth file write) → write ASPX web shell to C:\inetpub\wwwroot\aspnet_client\ or Exchange OWA directory → persistent HTTP-accessible RCE
• Web shell deployment: The most common exploitation outcome was deploying small ASP.NET web shells (.aspx files) to IIS-accessible paths on the Exchange server; these shells accept commands via HTTP POST, execute them in the Exchange IIS application pool context, and return output — providing persistent backdoor access that survives server reboots
• Standalone CVSS vs. chained reality: The AV:L CVSS vector reflects standalone exploitation (requiring local access or pre-existing auth); in practice, CVE-2021-26858 was consistently paired with CVE-2021-26855's remote authentication bypass, making the combined attack fully remote and unauthenticated
• Ransomware delivery: Following initial web shell deployment via CVE-2021-26858, threat actors used the persistent access to deploy ransomware (DearCry, BlackKingdom, LockFile), credential harvesters, and additional backdoors across enterprise networks

Discovery

Part of the ProxyLogon chain discovered by Orange Tsai of DEVCORE and reported to Microsoft on January 5, 2021. HAFNIUM began mass exploitation before the March 2 patch. The web shell deployment pattern enabled by CVE-2021-26858 was documented extensively by Microsoft MSTIC, Volexity, and ESET in the days following the patch release — revealing that thousands of Exchange servers had already been backdoored.

Exploitation Context

CVE-2021-26858 (along with CVE-2021-27065) was the persistence mechanism of ProxyLogon. After CVE-2021-26855 provided authentication, file write to a web-accessible path gave attackers a durable foothold that survived patching — organizations that applied the Exchange security update but did not hunt for web shells remained compromised. Forensic investigations following the ProxyLogon wave found China Chopper, ASPXSPY, and custom ASPX web shells in Exchange IIS directories at tens of thousands of organizations worldwide. The two-week window between the first exploitation (late February 2021) and widespread patching provided sufficient time for sophisticated and opportunistic actors alike to backdoor virtually every unpatched internet-facing Exchange server.

Remediation

1. Apply Microsoft Exchange March 2021 Security Updates immediately — available for Exchange 2013, 2016, and 2019
2. Hunt for web shells after patching: scan all IIS-accessible Exchange directories for unexpected .aspx, .asmx, or .ashx files:
   • C:\inetpub\wwwroot\aspnet_client\
   • %ExchangeInstallPath%\FrontEnd\HttpProxy\owa\
   • %ExchangeInstallPath%\ClientAccess\
   • Any other IIS virtual directory path configured for Exchange
3. Run Microsoft's HAFNIUM detection script (Test-ProxyLogon.ps1) to identify indicators of exploitation
4. Review IIS logs for POST requests to .aspx files in unusual paths — web shell traffic shows as HTTP 200 responses to small ASPX files not created during Exchange installation
5. Apply interim mitigations for CVE-2021-26855 (the SSRF prerequisite) immediately if patching is delayed — disabling the vulnerable authentication endpoint blocks the chain at step 1
6. Reference CISA ED 21-02 and advisory AA21-062A for full detection, response, and recovery guidance