Search
On this page ▾
CVE-2021-27059 — Microsoft Office Remote Code Execution Vulnerability

CVE-2021-27059

Microsoft Office — Privileged Admin Remote Code Execution in Server-Side Office Component via Crafted Request; March 2021 Patch Tuesday
⚠️ CVSS 3.1  7.6 / 10 — HIGH 🔴 CISA Known Exploited Vulnerability

What is Microsoft Office Server Components?

Microsoft Office includes server-side processing components deployed in enterprise environments — including Office Online Server (the on-premises equivalent of browser-based document editing in Microsoft 365), document processing APIs in SharePoint Server, and web-accessible management interfaces for Office deployments. These server components run with service-level privileges, process complex Office document formats on behalf of users, and are accessible to authenticated administrators over the network. Vulnerabilities in privileged server-side Office components allow attackers who have already obtained administrative credentials (via phishing, credential theft, or other means) to execute code on the underlying server — potentially reaching resources beyond the vulnerable service itself.

Overview

CVE-2021-27059 is a remote code execution vulnerability in Microsoft Office server components. The CVSS profile reflects a sophisticated attack: it requires High Privileges (existing admin-level authentication), High Complexity (specific preconditions or configuration states must exist), and User Interaction (an authenticated admin must trigger the vulnerable operation). The Scope: Changed classification indicates successful exploitation affects resources outside the vulnerable component's normal security boundary — consistent with a server-side Office component whose code execution context has access to the broader Windows Server host. Microsoft patched this in March 2021 Patch Tuesday; CISA added it to the KEV catalog in November 2021, confirming exploitation against unpatched installations.

Affected Versions

Product Vulnerable Fixed
Microsoft Office (server components, affected versions) Yes March 2021 Patch Tuesday

Technical Details

  • Attack profile: AV:N/AC:H/PR:H/UI:R/S:C — the vulnerability is in a network-accessible Office server component; exploitation requires admin credentials (PR:H), specific preconditions such as particular server configuration or document state (AC:H), and an action by an authenticated admin (UI:R)
  • Scope Changed: Code execution affects resources outside the vulnerable component's normal security boundary — the Office service account or the Office processing context can reach host-level resources, enabling persistence or lateral movement from the server
  • Full impact: C:H/I:H/A:H — complete confidentiality, integrity, and availability impact consistent with arbitrary code execution on the server host, giving an attacker full control over the Office server and its data
  • Post-initial-access exploitation: Given PR:H, this vulnerability is exploited after an attacker has already obtained admin credentials through another means; it provides a path to code execution and persistence on the Office server infrastructure

Discovery

Reported to Microsoft and patched in March 2021 Patch Tuesday. The CISA KEV addition in November 2021 confirms that organizations which had not applied the March patches were actively targeted.

Exploitation Context

Server-side Office vulnerabilities requiring administrative credentials are typically exploited in the second stage of an attack: after gaining admin access via credential theft or phishing, an attacker targets the Office server to achieve persistent code execution on enterprise infrastructure. The high privilege requirement narrows the attack surface but does not prevent exploitation — administrators regularly interact with Office server management interfaces, and an attacker who has compromised admin credentials faces no additional barrier. The Scope: Changed outcome means the attacker's code runs in a context with broader system access than the Office service's intended boundary, enabling escalation to the underlying Windows Server.

Remediation

  1. Apply March 2021 Patch Tuesday updates for all affected Microsoft Office server components
  2. Keep Office Online Server, SharePoint Server, and all Office server components updated via Windows Server Update Services or Microsoft Update Catalog
  3. Enforce least-privilege access to Office server administration: require separate admin accounts, MFA, and privileged access workstations for management operations
  4. Monitor Office server process execution logs for unexpected child processes spawned from Office service accounts
  5. Audit administrative access to Office server management interfaces — restrict which accounts can authenticate to these endpoints and alert on anomalous admin activity

Key Details

PropertyValue
CVE ID CVE-2021-27059
Vendor / Product Microsoft — Office
NVD Published2021-03-11
NVD Last Modified2025-10-30
CVSS 3.1 Score7.6
CVSS 3.1 VectorCVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:C/C:H/I:H/A:H
SeverityHIGH
CISA KEV Added2021-11-03
CISA KEV Deadline2021-11-17
Known Ransomware Use No

CVSS 3.1 Breakdown

Attack Vector
Network
Attack Complexity
High
Privileges Required
High
User Interaction
Required
Scope
Changed
Confidentiality
High
Integrity
High
Availability
High

Required Action

CISA BOD 22-01 Deadline: 2021-11-17. Apply updates per vendor instructions.

Timeline

DateEvent
2021-03-09Microsoft patches CVE-2021-27059 in March 2021 Patch Tuesday
2021-03-11CVE published
2021-11-03Added to CISA Known Exploited Vulnerabilities catalog
2021-11-17CISA BOD 22-01 remediation deadline

References

ResourceType
Microsoft Security Advisory — CVE-2021-27059 Vendor Advisory
NVD — CVE-2021-27059 Vulnerability Database
CISA KEV Catalog Entry US Government

Last updated: 2026-05-24

Suggest an update ↗

Gavin Hollinger & AI assembled this air-gap friendly HTML