CVE-2021-27065

What is Path Traversal in Exchange?

Path traversal (CWE-22) vulnerabilities occur when a web application uses attacker-controlled input to construct a filesystem path without properly sanitizing directory traversal sequences (e.g., ../). In Microsoft Exchange Server, authenticated API endpoints that write files as part of Exchange's operations — such as virtual directory configuration, OAB (Offline Address Book) generation, or configuration export — can be vulnerable if they incorporate user-supplied path components without validation. An attacker who can write arbitrary files to IIS-accessible directories via path traversal can deploy ASP.NET web shells, gaining persistent HTTP-accessible code execution on the Exchange server.

Overview

CVE-2021-27065 is a path traversal file write vulnerability (CWE-22) in Microsoft Exchange Server. It is the second post-authentication file write in the ProxyLogon cluster (alongside CVE-2021-26858), exploitable after authentication is obtained via the CVE-2021-26855 SSRF authentication bypass. A path traversal vulnerability in an Exchange endpoint that writes configuration or data files allows an authenticated attacker to specify a target file path outside the intended directory — writing ASPX web shell content to IIS-accessible paths on the Exchange server. CVE-2021-27065 was used alongside CVE-2021-26858 by HAFNIUM and subsequent threat actors to achieve persistent backdoor access. CISA Emergency Directive 21-02 required immediate patching of federal Exchange servers.

Affected Versions

Technical Details

• Root cause: Path traversal (CWE-22) — an authenticated Exchange endpoint (related to OAB virtual directory configuration or similar Exchange management functionality) writes files using a path derived from attacker-controlled input; sequences like ../../../../inetpub/wwwroot/aspnet_client/shell.aspx traverse outside the intended directory and land in an IIS-accessible location, where a .aspx file becomes an executable web shell
• ProxyLogon chain: (1) CVE-2021-26855 (pre-auth SSRF) → authenticate as any Exchange user/admin; (2) CVE-2021-27065 (path traversal file write) → write web shell to IIS web root → persistent remote code execution via HTTP
• Relationship to CVE-2021-26858: Both CVE-2021-26858 and CVE-2021-27065 achieve the same outcome (arbitrary file write → web shell deployment) but through different vulnerable Exchange endpoints; threat actors used both, and defenders needed to patch both to close the persistent access path
• Web shell persistence: ASPX web shells deployed via CVE-2021-27065 persist on the Exchange server filesystem; patching Exchange after exploitation does not remove already-deployed web shells — post-patch forensic investigation is essential
• Ransomware use: LockFile, BlackKingdom, DearCry, and other ransomware families used ProxyLogon web shells (deployed via CVE-2021-26858 and CVE-2021-27065) as the initial foothold for deploying ransomware across enterprise networks

Discovery

Part of the four-vulnerability ProxyLogon chain reported by Orange Tsai of DEVCORE to Microsoft on January 5, 2021. HAFNIUM exploited all four ProxyLogon vulnerabilities as zero-days beginning in late February 2021. The specific path traversal mechanism in CVE-2021-27065 was detailed in technical analyses by Volexity, Microsoft MSTIC, and DEVCORE following the March 2 patch release.

Exploitation Context

CVE-2021-27065 was one of the primary web shell deployment mechanisms in the ProxyLogon exploitation wave. The pattern: CVE-2021-26855 → CVE-2021-27065 (or CVE-2021-26858) → web shell was executed at extraordinary scale by dozens of threat actors in the two weeks following the March 2, 2021 patch. The path traversal mechanism was particularly efficient because it required only two HTTP requests (one for authentication via the SSRF, one for the file write) to deploy a persistent backdoor. Security firms estimated that tens of thousands of Exchange servers worldwide were backdoored before organizations could apply the emergency patches. The ransomwareUse flag reflects that criminal actors leveraged this web shell access to stage and deploy ransomware across compromised networks.

Remediation

1. Apply Microsoft Exchange March 2021 Security Updates — patches the path traversal vulnerability in Exchange 2013, 2016, and 2019
2. Assume compromise and hunt for web shells — any Exchange server internet-accessible before March 8, 2021 without the patch should be treated as backdoored:
   • Enumerate all .aspx and related files in Exchange IIS directories and compare against known-good file lists
   • Check specifically: C:\inetpub\wwwroot\aspnet_client\, OAB virtual directory paths, and Exchange OWA directories
3. Run Microsoft's Test-ProxyLogon.ps1 detection script to identify exploitation artifacts in Exchange logs
4. Review IIS logs for the specific CVE-2021-27065 exploitation pattern: POST requests to Exchange ECP/OAB endpoints followed by GET requests to newly created ASPX files in unusual paths
5. Apply CVE-2021-26855 mitigations first if patching is delayed — blocking the SSRF prevents the attacker from obtaining the authenticated session required for CVE-2021-27065
6. After remediation, perform full credential rotation for all accounts accessible from the Exchange server and review for additional persistence mechanisms (new admin accounts, scheduled tasks, registry keys)