Login Sign Up

CVE-2021-26422

7.2 HIGH
Remote Code Execution

📋 TL;DR

This vulnerability allows remote code execution on Skype for Business and Lync servers. An attacker could execute arbitrary code with SYSTEM privileges by sending specially crafted requests to the affected server. Organizations running vulnerable versions of Skype for Business or Lync are affected.

💻 Affected Systems

Products:
  • Skype for Business Server
  • Lync Server
Versions: Skype for Business Server 2015 CU8 and earlier, Lync Server 2013 CU7 and earlier
Operating Systems: Windows Server
Default Config Vulnerable: ⚠️ Yes
Notes: Affects both Standard and Enterprise editions. Requires the server to be configured with the Web Components Server role.

📦 What is this software?

Lync Server by Microsoft

View all CVEs affecting Lync Server →

Skype For Business Server by Microsoft

View all CVEs affecting Skype For Business Server →

Skype For Business Server by Microsoft

View all CVEs affecting Skype For Business Server →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete system compromise with SYSTEM privileges, allowing attacker to install programs, view/change/delete data, or create new accounts with full user rights.

🟠

Likely Case

Attacker gains control of the Skype for Business/Lync server, potentially accessing sensitive communications data and using the server as a foothold for lateral movement.

🟢

If Mitigated

With proper network segmentation and access controls, impact limited to the Skype for Business/Lync server itself.

🌐 Internet-Facing: HIGH
🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: UNKNOWN
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

Microsoft rates this as 'Exploitation More Likely' in their advisory. The vulnerability is in the web components and can be exploited without authentication.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Skype for Business Server 2015 CU9, Lync Server 2013 CU8

Vendor Advisory: https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-26422

Restart Required: Yes

Instructions:

1. Download the appropriate Cumulative Update from Microsoft Update Catalog. 2. Apply the update to all affected Skype for Business/Lync servers. 3. Restart the servers as required.

🔧 Temporary Workarounds

Block specific ports

windows

Block inbound traffic to Skype for Business/Lync web components ports (typically 443/TCP for HTTPS)

netsh advfirewall firewall add rule name="Block Skype Web Ports" dir=in action=block protocol=TCP localport=443

🧯 If You Can't Patch

  • Implement strict network segmentation to isolate Skype for Business/Lync servers from other critical systems
  • Deploy web application firewall (WAF) rules to block suspicious requests to the web components

🔍 How to Verify

Check if Vulnerable:

Check server version against affected versions list. Verify if Web Components Server role is installed.

Check Version:

Get-Command *Skype* | Select-Object Version (PowerShell) or check Add/Remove Programs for Skype for Business/Lync version

Verify Fix Applied:

Verify that Cumulative Update CU9 (Skype for Business 2015) or CU8 (Lync 2013) is installed and server version is updated.

📡 Detection & Monitoring

Log Indicators:

  • Unusual HTTP requests to /abs/ paths
  • Failed authentication attempts followed by successful exploitation patterns
  • Unexpected process creation from w3wp.exe

Network Indicators:

  • Unusual outbound connections from Skype/Lync servers
  • Traffic patterns indicating command and control communication

SIEM Query:

source="SkypeServer" AND (url="*/abs/*" OR process="powershell.exe" OR process="cmd.exe")

📊 Metadata

CVE ID: CVE-2021-26422
CVSS v3 Score: 7.2 (HIGH)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
Published: May 11, 2021
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON