Search
On this page ▾
CVE-2021-34523 — Microsoft Exchange Server Privilege Escalation Vulnerability

CVE-2021-34523

Microsoft Exchange Server — ProxyShell Stage 2 Exchange Backend Privilege Escalation to NT AUTHORITY\SYSTEM via EAP Misconfiguration
🔥 CVSS 3.1  9 / 10 — CRITICAL 🔴 CISA Known Exploited Vulnerability

What is Microsoft Exchange Server?

Microsoft Exchange Server is the world's most widely deployed on-premises email and collaboration platform, used by enterprises and government agencies globally. Exchange servers run as SYSTEM on Windows and serve as the email gateway for entire organizations — making vulnerabilities that allow privilege escalation to SYSTEM particularly severe. CVE-2021-34523 is the second component of the ProxyShell exploit chain (CVE-2021-34473 + CVE-2021-34523 + CVE-2021-31207). See also CVE-2021-34473 for the SSRF stage that enables exploitation of this vulnerability.

Overview

CVE-2021-34523 is a privilege escalation vulnerability in Microsoft Exchange Server's backend application pool. Once an attacker has gained access to the Exchange backend via the SSRF vulnerability in CVE-2021-34473, this vulnerability allows them to escalate to NT AUTHORITY\SYSTEM privileges by exploiting a misconfiguration in the Exchange Application Pool (EAP). The Exchange backend accepts requests on behalf of arbitrary mailboxes without proper authorization validation, allowing an attacker to impersonate any user — including SYSTEM-level processes — on the Exchange server. This was the second component in Orange Tsai's ProxyShell chain presented at Black Hat USA 2021, and became one of the most widely exploited vulnerability chains of 2021.

Affected Versions

Product Vulnerable Fixed
Exchange Server 2013 CU23 Yes KB5003435
Exchange Server 2016 CU19/CU20 Yes KB5003611 / KB5003612
Exchange Server 2019 CU8/CU9 Yes KB5003611 / KB5003612

Technical Details

The Exchange backend's application pool runs as NT AUTHORITY\SYSTEM. When accepting forwarded requests from the frontend (as exploited via CVE-2021-34473), the backend does not properly validate the authorization context:

  • Root cause: The Exchange Application Pool (EAP) backend processes PowerShell requests without validating the security context of the requesting mailbox. By specifying a mailbox that corresponds to SYSTEM-level access, an attacker can issue Exchange management commands as NT AUTHORITY\SYSTEM
  • Scope: Changed: The attacker operates in the context of the lower-privileged frontend but achieves SYSTEM-level access in the backend — crossing a security boundary
  • Attack vector: Local — this stage of the attack is local in the sense that it occurs within the Exchange server's own infrastructure after the SSRF from stage 1 has established access
  • Chain position: This vulnerability is the bridge between SSRF access (stage 1) and arbitrary file write (stage 3). Without this privilege escalation, stage 3 would not yield SYSTEM-level code execution
  • End result: An attacker who chains CVE-2021-34473 → CVE-2021-34523 → CVE-2021-31207 achieves full unauthenticated RCE as NT AUTHORITY\SYSTEM

Discovery

Discovered by Orange Tsai (Cheng-Da Tsai) of DEVCORE as part of the ProxyShell vulnerability chain, for which he won $200,000 at Pwn2Own 2021. The chain was presented publicly at Black Hat USA 2021 and DEF CON 29 in August 2021.

Exploitation Context

ProxyShell became one of the most rapidly and widely exploited vulnerability chains in 2021. Within 24 hours of the Black Hat presentation, threat actors were mass-scanning for unpatched Exchange servers. Despite the patch being available since April 2021, vast numbers of Exchange deployments remained unpatched at the time of the August 2021 disclosure. LockFile, Conti, AvosLocker, and other ransomware groups exploited ProxyShell for initial access, ransomware deployment, and email exfiltration. Nation-state actors also exploited it for persistent email espionage.

Remediation

  1. Apply the April 2021 Cumulative Update for your Exchange version (KB5001779 or subsequent CU) — this patches all three ProxyShell components simultaneously
  2. Verify the update is applied by checking the Exchange version in the Exchange Admin Center
  3. If exploitation is suspected: search for unauthorized webshells in Exchange web directories (.aspx files in \inetpub\wwwroot\aspnet_client\ and Exchange web directories)
  4. Review OWA and ECP access logs for unexpected requests to Autodiscover and PowerShell endpoints
  5. Check for unauthorized Exchange management shell sessions, new mailboxes, and unauthorized mail forwarding rules
  6. Audit Active Directory for new accounts or privilege changes — SYSTEM-level Exchange access can be leveraged for AD persistence

Key Details

PropertyValue
CVE ID CVE-2021-34523
Vendor / Product Microsoft — Exchange Server
NVD Published2021-07-14
NVD Last Modified2025-10-30
CVSS 3.1 Score9
CVSS 3.1 VectorCVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:N
SeverityCRITICAL
CISA KEV Added2021-11-03
CISA KEV Deadline2021-11-17
Known Ransomware Use ⚠️ Yes

CVSS 3.1 Breakdown

Attack Vector
Local
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Changed
Confidentiality
High
Integrity
High
Availability
None

Required Action

CISA BOD 22-01 Deadline: 2021-11-17. Apply updates per vendor instructions.

Timeline

DateEvent
2021-04-13Microsoft patches CVE-2021-34523 in April 2021 Patch Tuesday (KB5001779)
2021-07-14CVE published
2021-08Orange Tsai presents ProxyShell chain at Black Hat/DEF CON; exploitation begins immediately
2021-11-03Added to CISA Known Exploited Vulnerabilities catalog
2021-11-17CISA BOD 22-01 remediation deadline

References

ResourceType
Microsoft Security Response Center — CVE-2021-34523 Vendor Advisory
ZDI — From Pwn2Own 2021: ProxyShell Attack Surface Security Research
NVD — CVE-2021-34523 Vulnerability Database
CISA KEV Catalog Entry US Government

Last updated: 2026-05-24

Suggest an update ↗

Gavin Hollinger & AI assembled this air-gap friendly HTML