CVE-2021-26855
📋 TL;DR
CVE-2021-26855 is a server-side request forgery (SSRF) vulnerability in Microsoft Exchange Server that allows unauthenticated attackers to execute arbitrary code remotely. This vulnerability affects on-premises Exchange servers and was part of the ProxyLogon attack chain. Organizations running vulnerable Exchange servers are at immediate risk of compromise.
💻 Affected Systems
- Microsoft Exchange Server
📦 What is this software?
Exchange Server by Microsoft
Exchange Server by Microsoft
Exchange Server by Microsoft
Exchange Server by Microsoft
Exchange Server by Microsoft
Exchange Server by Microsoft
Exchange Server by Microsoft
Exchange Server by Microsoft
Exchange Server by Microsoft
Exchange Server by Microsoft
Exchange Server by Microsoft
Exchange Server by Microsoft
Exchange Server by Microsoft
Exchange Server by Microsoft
Exchange Server by Microsoft
Exchange Server by Microsoft
Exchange Server by Microsoft
Exchange Server by Microsoft
Exchange Server by Microsoft
Exchange Server by Microsoft
Exchange Server by Microsoft
Exchange Server by Microsoft
Exchange Server by Microsoft
Exchange Server by Microsoft
⚠️ Risk & Real-World Impact
Worst Case
Complete compromise of Exchange server leading to domain takeover, data exfiltration, ransomware deployment, and persistent backdoor installation.
Likely Case
Attackers gain initial access, install web shells, steal email data, and move laterally within the network.
If Mitigated
Limited impact with proper network segmentation, but still potential for Exchange server compromise.
🎯 Exploit Status
Widely exploited in the wild as part of ProxyLogon attacks. Multiple exploit chains and tools available.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Security updates for Exchange Server 2013 CU23, 2016 CU19/CU20, 2019 CU8/CU9
Vendor Advisory: https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-26855
Restart Required: Yes
Instructions:
1. Download appropriate security update from Microsoft Update Catalog. 2. Apply update to all Exchange servers. 3. Restart servers. 4. Run Exchange Health Checker script to verify.
🔧 Temporary Workarounds
URL Rewrite Mitigation
windowsBlocks the specific URL patterns used in exploitation
Import-Module WebAdministration
Add-WebConfigurationProperty -pspath 'IIS:\Sites\Default Web Site\Autodiscover' -filter 'system.webServer/rewrite/rules' -name '.' -value @{name='Block ProxyLogon'; patternSyntax='ECMAScript'; stopProcessing='True'; match='.*autodiscover\.json.*@.*Powershell.*'; action='AbortRequest'}
Disable Unified Messaging
windowsTemporarily disables vulnerable component
Disable-UMService -Identity <ServerName>
🧯 If You Can't Patch
- Immediately block external access to Exchange servers at firewall
- Implement strict network segmentation and monitor for suspicious PowerShell activity
🔍 How to Verify
Check if Vulnerable:
Run Microsoft's Exchange Health Checker script: https://aka.ms/ExchangeHealthCheckerCheck Version:
Get-ExchangeServer | Format-List Name, Edition, AdminDisplayVersionVerify Fix Applied:
Check Exchange build number matches patched version and run Health Checker script📡 Detection & Monitoring
Log Indicators:
- Unusual Autodiscover requests with PowerShell in URL
- IIS logs showing POST to /ecp/ with suspicious parameters
- Creation of unexpected aspx files in Exchange directories
Network Indicators:
- HTTP requests to /ecp/ with suspicious OABGenerator parameters
- Unusual PowerShell execution from Exchange server
SIEM Query:
source="IIS" AND (url="*autodiscover.json*@*Powershell*" OR url="*/ecp/*") AND status=200🔗 References
- http://packetstormsecurity.com/files/161846/Microsoft-Exchange-2019-SSRF-Arbitrary-File-Write.html
- http://packetstormsecurity.com/files/161938/Microsoft-Exchange-ProxyLogon-Remote-Code-Execution.html
- http://packetstormsecurity.com/files/162610/Microsoft-Exchange-2019-Unauthenticated-Email-Download.html
- http://packetstormsecurity.com/files/162736/Microsoft-Exchange-ProxyLogon-Collector.html
- https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-26855
- http://packetstormsecurity.com/files/161846/Microsoft-Exchange-2019-SSRF-Arbitrary-File-Write.html
- http://packetstormsecurity.com/files/161938/Microsoft-Exchange-ProxyLogon-Remote-Code-Execution.html
- http://packetstormsecurity.com/files/162610/Microsoft-Exchange-2019-Unauthenticated-Email-Download.html
- http://packetstormsecurity.com/files/162736/Microsoft-Exchange-ProxyLogon-Collector.html
- https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-26855
- https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2021-26855
