CVE-2021-31207

What is Exchange Server's Mailbox Export Feature?

Microsoft Exchange Server's mailbox export functionality allows administrators to export mailbox contents to PST files. The Export-Mailbox and New-MailboxExportRequest cmdlets in Exchange Management Shell can write files to specific directories on the Exchange server. If an authenticated user can manipulate the export destination path or the content being written (including by injecting ASPX code into the mailbox and exporting it to a web-accessible directory), this functionality becomes an arbitrary file write primitive — one of the core capabilities needed to deploy a web shell on an Exchange server. CVE-2021-31207 is the security feature bypass that enables this arbitrary file write, completing the ProxyShell exploit chain when combined with the authentication bypass provided by CVE-2021-34473 and CVE-2021-34523.

Overview

CVE-2021-31207 is a security feature bypass vulnerability (CWE-434: Unrestricted Upload of File with Dangerous Type) in Microsoft Exchange Server. An authenticated attacker can write files to arbitrary paths on the Exchange server by exploiting an inadequate restriction in Exchange's mailbox export functionality. In isolation it requires High Privileges (PR:H) and is rated MEDIUM (6.6). However, as the final component of the ProxyShell exploit chain — where CVE-2021-34473 (pre-auth path traversal) and CVE-2021-34523 (EAC privilege escalation) provide authentication as SYSTEM — CVE-2021-31207 becomes the web shell deployment step of a fully pre-authenticated RCE chain. Orange Tsai (DEVCORE) presented ProxyShell at Black Hat USA 2021; mass exploitation began within days.

Affected Versions

Technical Details

• Root cause: Security feature bypass (CWE-434) in Exchange's mailbox export — Exchange's New-MailboxExportRequest API allows writing exported mailbox content (including specially crafted ASPX webshell code embedded in email message bodies) to a file path supplied by the requester; insufficient path validation allows writing to web-accessible directories (e.g., C:\inetpub\wwwroot\aspnet_client\)
• Standalone vs. chain use: Standalone, CVE-2021-31207 requires a high-privilege Exchange account — limiting its value. In ProxyShell, CVE-2021-34473 (pre-auth path traversal) allows accessing the Exchange backend as SYSTEM, and CVE-2021-34523 (EAC Powershell auth bypass) allows the attacker to impersonate any mailbox including admin accounts, effectively reducing the effective privilege requirement from PR:H to PR:N in chain
• Web shell deployment: The attacker (via ProxyShell chain) creates a mailbox, sends an email to it with ASPX payload in the body, then uses New-MailboxExportRequest to export the mailbox to a .aspx file in a web-accessible directory; the Exchange IIS server then serves the ASPX file as executable code
• Ransomware campaigns: Multiple ransomware groups — including LockFile, Conti, Black Kingdom, and others — weaponized ProxyShell within days of the August 2021 Black Hat presentation; ransomwareUse:true reflects widespread ransomware exploitation
• Mass exploitation timeline: Security researchers observed automated ProxyShell scanning begin within 72 hours of Orange Tsai's Black Hat presentation, with thousands of Exchange servers compromised before patches were widely applied

Discovery

Orange Tsai (DEVCORE) discovered the ProxyShell chain and presented it at Pwn2Own 2021 (winning $200,000) and Black Hat USA 2021. CVE-2021-31207 was patched in May 2021 Patch Tuesday, two months before the other ProxyShell CVEs (July 2021 for CVE-2021-34473 and CVE-2021-34523). The simultaneous KEV addition of all three ProxyShell CVEs in November 2021 reflects the combined chain's active exploitation status.

Exploitation Context

ProxyShell was one of the most widely exploited Microsoft Exchange vulnerabilities following ProxyLogon. The combination of pre-authentication access and arbitrary file write made it trivially weaponizable — dozens of public exploit tools appeared within days of the Black Hat talk. Threat actors ranging from ransomware groups to nation-state APTs (including Chinese and Iranian threat actors) used ProxyShell to deploy web shells on unpatched Exchange servers and establish persistent access. CISA issued multiple advisories urging immediate patching. Organizations that had applied the May 2021 patch for CVE-2021-31207 but not the July 2021 patches for CVE-2021-34473/34523 remained vulnerable to the complete chain.

Remediation

1. Apply all three ProxyShell patches: May 2021 Patch Tuesday (CVE-2021-31207) AND July 2021 Patch Tuesday (CVE-2021-34473, CVE-2021-34523) — all three are required to break the chain
2. Scan Exchange servers for existing web shells: check C:\inetpub\wwwroot\aspnet_client\ and Exchange virtual directories for unexpected .aspx files
3. Review Exchange HTTP access logs for POST requests to /autodiscover/autodiscover.json or unusual autodiscover paths indicating ProxyShell exploitation
4. Deploy Microsoft Exchange Emergency Mitigation Service (EEMS) which can apply URL rewrite mitigations for known Exchange exploit patterns
5. Consider migrating to Exchange Online (Microsoft 365) to eliminate on-premises Exchange attack surface
6. Maintain Exchange on supported cumulative update versions — Microsoft only releases security patches for the two most recent CUs; staying on current CU is required for patch eligibility