CVE-2021-34473

What is Microsoft Exchange Server?

Microsoft Exchange Server is the world's most widely deployed on-premises email platform, used by enterprises and government agencies globally. Exchange combines email, calendar, and collaboration services in a platform that integrates deeply with Active Directory. Exchange servers are internet-accessible by design (for email delivery) and run as NETWORK SERVICE or SYSTEM on Windows — making critical vulnerabilities in Exchange extremely impactful. CVE-2021-34473 is the first component of the ProxyShell exploit chain, discovered by Orange Tsai of DEVCORE. See also CVE-2021-34523 and CVE-2021-31207 for the complete ProxyShell chain.

Overview

CVE-2021-34473 is a Server-Side Request Forgery (SSRF) vulnerability (CWE-918) in the Exchange Autodiscover service. Microsoft patched this silently in April 2021 as part of a cumulative update; the vulnerability's full significance wasn't publicized until Orange Tsai demonstrated the complete ProxyShell exploit chain (CVE-2021-34473 + CVE-2021-34523 + CVE-2021-31207) at Black Hat and DEF CON in August 2021. Mass exploitation by ransomware groups began immediately after the conference presentation — even though the patch had been available for four months. Exchange servers that had not applied the April 2021 CU were immediately targeted.

Affected Versions

Technical Details

Exchange's Autodiscover service accepts requests on behalf of clients to discover email configuration. The SSRF vulnerability allows an unauthenticated attacker to forge requests to the Exchange backend that appear to originate from within the Exchange infrastructure:

• SSRF mechanism: A specially crafted Autodiscover URL exploits Exchange's internal request forwarding to access the Exchange PowerShell backend (ECP/OWA) without authentication
• Authentication bypass: By specifying an Autodiscover path that gets forwarded to the Exchange backend, the attacker bypasses the frontend authentication requirement
• ProxyShell chain: CVE-2021-34473 (SSRF) + CVE-2021-34523 (EAP backend privilege to SYSTEM) + CVE-2021-31207 (file write via PowerShell) = full pre-auth RCE as SYSTEM
• Impact: Full Exchange Server compromise — webshell deployment, email access, and AD integration abuse

Discovery

Discovered by Orange Tsai (Cheng-Da Tsai) of DEVCORE, who won $200,000 at Pwn2Own 2021 for the ProxyShell chain. The chain was presented publicly at Black Hat USA 2021 and DEF CON 29 in August 2021.

Exploitation Context

ProxyShell became one of the most rapidly exploited vulnerability chains in 2021. Within 24 hours of the Black Hat/DEF CON presentation, multiple threat actor groups began mass-scanning for unpatched Exchange servers. LockFile, Conti, AvosLocker, and other ransomware groups all exploited ProxyShell for initial access. Nation-state actors also exploited it for email espionage.

Remediation

1. Apply the April 2021 Cumulative Update for your Exchange version (KB5001779 or subsequent CU)
2. Verify the update is applied: check Exchange version in the Exchange Admin Center
3. If exploitation occurred before patching: look for unauthorized webshells in Exchange directories (search for .aspx files in \inetpub\wwwroot\aspnet_client\ and Exchange web directories)
4. Review OWA and ECP access logs for unexpected requests to /autodiscover/ paths containing powershell in the URL
5. Check for unauthorized Exchange management shell sessions and new mailbox rules
6. Consider Microsoft's Exchange Emergency Mitigation Service (EEMS) for rapid future mitigation delivery