CVE-2021-31198 – CVE-2021-31198 is a remote code execution vulne... (How to Fix)

Q: What is the severity of CVE-2021-31198?

CVE-2021-31198 has a CVSS score of 7.8 (HIGH). CVE-2021-31198 is a remote code execution vulnerability in Microsoft Exchange Server that allows attackers to execute arbitrary code on affected servers. It affects Microsoft Exchange Server installations and can be exploited by sending specially crafted HTTP requests. Organizations running vulnerable Exchange Server versions are at risk.

📋 TL;DR

CVE-2021-31198 is a remote code execution vulnerability in Microsoft Exchange Server that allows attackers to execute arbitrary code on affected servers. It affects Microsoft Exchange Server installations and can be exploited by sending specially crafted HTTP requests. Organizations running vulnerable Exchange Server versions are at risk.

💻 Affected Systems

Products:

Microsoft Exchange Server

Versions: Exchange Server 2019 Cumulative Update 8 and earlier, Exchange Server 2016 Cumulative Update 19 and earlier

Operating Systems: Windows Server

Default Config Vulnerable: ⚠️ Yes

Notes: Affects Exchange Server installations with default configurations. Requires the HTTP protocol stack (Http.sys) to be vulnerable.

📦 What is this software?

⚠️ Risk & Real-World Impact

🔴

Worst Case

Full compromise of the Exchange Server, allowing attackers to steal sensitive email data, deploy ransomware, pivot to internal networks, and maintain persistent access.

🟠

Likely Case

Attackers gain initial foothold on the Exchange Server, potentially leading to data exfiltration, credential theft, and lateral movement within the network.

🟢

If Mitigated

With proper network segmentation, EDR protection, and monitoring, impact is limited to the Exchange Server itself with minimal lateral movement potential.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: CONFIRMED

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploitation requires sending specially crafted HTTP requests to vulnerable Exchange Servers. Multiple proof-of-concept exploits are publicly available.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Exchange Server 2019 Cumulative Update 9, Exchange Server 2016 Cumulative Update 20

Vendor Advisory: https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-31198

Restart Required: Yes

Instructions:

1. Download the appropriate Cumulative Update from Microsoft Update Catalog. 2. Apply the update to all Exchange Servers. 3. Restart the Exchange Server services. 4. Verify the update was successful.

🔧 Temporary Workarounds

URL Rewrite Rule

windows

Blocks malicious HTTP requests by implementing URL rewrite rules in IIS

Add-WebConfigurationProperty -pspath 'MACHINE/WEBROOT/APPHOST' -filter 'system.webServer/rewrite/rules' -name '.' -value @{name='Block_CVE-2021-31198';patternSyntax='ECMAScript';stopProcessing='True'}

🧯 If You Can't Patch

Implement strict network segmentation to isolate Exchange Servers from critical internal resources
Deploy web application firewall (WAF) rules to block malicious HTTP requests targeting this vulnerability

🔍 How to Verify

Check if Vulnerable:

Check Exchange Server version using Get-ExchangeServer | Select Name, Edition, AdminDisplayVersion

Check Version:

Get-ExchangeServer | Select Name, Edition, AdminDisplayVersion

Verify Fix Applied:

Verify installed Exchange Server version is CU9 (2019) or CU20 (2016) or later

📡 Detection & Monitoring

Log Indicators:

Unusual HTTP requests in IIS logs, unexpected process creation events in Windows Event Logs

Network Indicators:

Suspicious HTTP traffic to Exchange Server endpoints, unusual outbound connections from Exchange Servers

SIEM Query:

source="IIS" AND (url="*malicious_pattern*" OR status_code=500) | stats count by src_ip, url

📊 Metadata

CVE ID: CVE-2021-31198

CVSS v3 Score: 7.8 (HIGH)

CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

CWE: CWE-20

Published: May 11, 2021

Last Updated: February 28, 2025

🔗 References

https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-31198 Patch,Vendor Advisory
https://www.zerodayinitiative.com/advisories/ZDI-21-894/ Third Party Advisory,VDB Entry
https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-31198 Patch,Vendor Advisory
https://www.zerodayinitiative.com/advisories/ZDI-21-894/ Third Party Advisory,VDB Entry

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2021-31198, you might also want to check these:

📋 TL;DR

💻 Affected Systems

📦 What is this software?

Exchange Server by Microsoft

Exchange Server by Microsoft

Exchange Server by Microsoft

Exchange Server by Microsoft

Exchange Server by Microsoft

⚠️ Risk & Real-World Impact

Worst Case

Likely Case

If Mitigated

🎯 Exploit Status

🛠️ Fix & Mitigation

✅ Official Fix

Instructions:

🔧 Temporary Workarounds

URL Rewrite Rule

🧯 If You Can't Patch

🔍 How to Verify

Check if Vulnerable:

Check Version:

Verify Fix Applied:

📡 Detection & Monitoring

Log Indicators:

Network Indicators:

SIEM Query:

📊 Metadata

🔗 References

📤 Share & Export

🔗 Related Vulnerabilities