CVE-2021-42321

What is Microsoft Exchange Server?

Microsoft Exchange Server is the dominant enterprise email and collaboration platform, deployed on-premises in hundreds of thousands of organizations worldwide. Exchange Server handles all email routing, mailbox storage, calendar, and contacts for corporate environments. As a network-accessible service handling authentication and rich server-side functionality, Exchange has been a high-priority target for advanced threat actors: 2021 alone saw the ProxyLogon zero-day chain (March), the ProxyShell chain (August), and now CVE-2021-42321 (November). Exchange servers are valuable targets because they contain the complete email history of an organization, often including credentials, sensitive business information, and communications about security incidents. Exchange Server also runs as a privileged service, meaning code execution on Exchange typically provides significant lateral movement capability within a Windows environment.

Overview

CVE-2021-42321 is a post-authentication remote code execution vulnerability in Microsoft Exchange Server caused by improper validation of cmdlet arguments. Exchange exposes a PowerShell remoting interface (Exchange Management Shell) that authenticated users with mailbox access can use for certain operations. A flaw in how Exchange validates parameters passed to certain cmdlets allows an attacker with a valid Exchange account (low privilege — any mailbox user) to trigger deserialization of attacker-controlled data, leading to arbitrary code execution on the Exchange server in the context of the Exchange service account (SYSTEM or NETWORK SERVICE with high privileges).

Microsoft patched this as a zero-day in November 2021 Patch Tuesday, with confirmed limited exploitation in targeted attacks at time of disclosure. The vulnerability was also demonstrated by security researchers at the Tianfu Cup 2021 hacking contest held the same day. CISA added it to KEV one week after the patch.

Affected Versions

Technical Details

• Root cause: Improper validation of cmdlet arguments in Exchange Server's PowerShell remoting endpoint — specifically, Exchange does not adequately sanitize or validate arguments passed to certain Exchange Management Shell cmdlets before processing them
• Deserialization: The inadequate validation allows attacker-controlled data to reach a deserialization code path. Exchange uses .NET BinaryFormatter deserialization internally for certain operations; deserializing untrusted data with BinaryFormatter is a well-known arbitrary code execution primitive in .NET
• Authentication required (PR:L): The attacker must have a valid Exchange account — any mailbox user. This is a lower bar than it sounds: phishing campaigns routinely compromise Exchange mailbox credentials, and many organizations have broad internal user bases with Exchange access
• Network access: The Exchange PowerShell remoting endpoint (typically accessible on the same port as OWA/EAS) must be reachable. Internet-exposed Exchange servers are directly vulnerable; internal Exchange servers require an attacker with network access and a compromised credential
• Code execution context: Successful exploitation provides code execution in the context of the Exchange service account, which has extensive privileges on the Exchange server and often within the Active Directory environment
• Scope: Unchanged — RCE is within the Exchange server itself; lateral movement to additional systems requires separate steps

Discovery

The vulnerability was reported to Microsoft and patched as an actively exploited zero-day. On the same day as the November 9, 2021 Patch Tuesday release, security researchers at the Tianfu Cup 2021 — China's national hacking competition held annually in Chengdu — demonstrated a working exploit for CVE-2021-42321 against Exchange Server, winning a cash prize. Microsoft's security blog confirmed limited targeted exploitation in the wild at the time of the patch release.

Exploitation Context

2021 was an extraordinary year for Exchange Server exploitation. CVE-2021-42321 added to a growing list of critical Exchange vulnerabilities that threat actors incorporated into their playbooks. With ransomwareUse confirmed, this vulnerability was used in post-compromise attack chains: after gaining initial access via other means (phishing for credentials, or chaining with other vulnerabilities), attackers with valid Exchange credentials could use CVE-2021-42321 to achieve code execution on the Exchange server for lateral movement, data theft, and ransomware staging. The combination of Exchange's privileged position in Windows environments and the authenticated-only requirement made this particularly valuable in ransomware operations where credentials are obtained early in the kill chain.

Remediation

1. Apply November 2021 Security Update for your specific Exchange Server version (Exchange 2013 CU23, 2016 CU21/CU22, or 2019 CU10/CU11) from the Microsoft Security Update Guide
2. Ensure you are running a supported Cumulative Update (CU) before applying the security update — the November 2021 patch only applies to specific CU versions; unsupported CU versions require upgrading to a supported CU first
3. Restrict Exchange PowerShell remoting access to administrative accounts only — block regular mailbox users from accessing the Exchange Management Shell via network policy if not required
4. Enable Extended Protection for Authentication on Exchange (Microsoft released a script to automate this: ExchangeExtendedProtectionManagement.ps1) to harden against credential relay attacks
5. Review Exchange Server logs for unusual PowerShell remoting activity: IIS logs for /PowerShell endpoint access with non-administrative accounts
6. Consider migrating to Exchange Online (Microsoft 365) to eliminate on-premises Exchange attack surface — Microsoft manages patching and security for Exchange Online