Login Sign Up

CVE-2021-34473

9.1 CRITICAL
Remote Code Execution

📋 TL;DR

CVE-2021-34473 is a critical remote code execution vulnerability in Microsoft Exchange Server that allows unauthenticated attackers to execute arbitrary code on vulnerable servers. It affects on-premises Exchange Server deployments and is part of the ProxyShell attack chain. Organizations running vulnerable Exchange Server versions are at immediate risk.

💻 Affected Systems

Products:
  • Microsoft Exchange Server
Versions: Exchange Server 2013, 2016, 2019 - specific vulnerable versions include cumulative updates prior to July 2021
Operating Systems: Windows Server
Default Config Vulnerable: ⚠️ Yes
Notes: Affects on-premises Exchange Server deployments. Exchange Online is not affected. Requires the Exchange Client Access Service (CAS) to be running.

📦 What is this software?

Exchange Server by Microsoft

View all CVEs affecting Exchange Server →

Exchange Server by Microsoft

View all CVEs affecting Exchange Server →

Exchange Server by Microsoft

View all CVEs affecting Exchange Server →

Exchange Server by Microsoft

View all CVEs affecting Exchange Server →

Exchange Server by Microsoft

View all CVEs affecting Exchange Server →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete compromise of Exchange Server leading to domain takeover, data exfiltration, ransomware deployment, and persistent backdoor installation.

🟠

Likely Case

Initial access leading to credential theft, email data theft, lateral movement within the network, and installation of web shells for persistence.

🟢

If Mitigated

Attack blocked at perimeter if properly configured, with only authenticated exploitation possible from internal networks.

🌐 Internet-Facing: HIGH - Unauthenticated remote exploitation possible from internet-facing Exchange servers.
🏢 Internal Only: MEDIUM - Requires authentication but still exploitable from compromised internal systems.

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: CONFIRMED
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

Widely exploited in the wild as part of ProxyShell attacks. Multiple public exploit scripts available. Often chained with CVE-2021-34523 and CVE-2021-31207.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: July 2021 Cumulative Updates for Exchange Server (KB5004779 for Exchange 2019, KB5004778 for Exchange 2016, KB5004777 for Exchange 2013)

Vendor Advisory: https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-34473

Restart Required: Yes

Instructions:

1. Download appropriate July 2021 Cumulative Update from Microsoft Update Catalog. 2. Apply update following Microsoft's Exchange Server update guidance. 3. Restart Exchange services or server as required. 4. Verify installation via Exchange Management Shell: Get-ExchangeServer | Format-List Name, Edition, AdminDisplayVersion.

🔧 Temporary Workarounds

URL Rewrite Rule Mitigation

windows

Blocks exploitation attempts by filtering malicious requests to the Autodiscover endpoint

Add web.config rule to block specific patterns in Autodiscover requests

Disable Remote PowerShell

windows

Reduces attack surface by disabling Remote PowerShell access

Set-OrganizationConfig -RemotePowerShellEnabled $false

🧯 If You Can't Patch

  • Block external access to Exchange Server via firewall rules
  • Implement strict network segmentation and monitor for suspicious Autodiscover requests

🔍 How to Verify

Check if Vulnerable:

Check Exchange Server version against vulnerable versions. Use Microsoft's Exchange Server Health Checker script or manually check build numbers.

Check Version:

Get-ExchangeServer | Format-List Name, Edition, AdminDisplayVersion

Verify Fix Applied:

Verify July 2021 CU is installed: Get-ExchangeServer | Format-List Name, Edition, AdminDisplayVersion. Build numbers should be 15.2.986.14+ (2019), 15.1.2308.14+ (2016), or 15.0.1497.26+ (2013).

📡 Detection & Monitoring

Log Indicators:

  • Unusual Autodiscover requests with PowerShell commands
  • IIS logs showing POST requests to /autodiscover/autodiscover.json with suspicious parameters
  • Event logs showing unexpected PowerShell execution

Network Indicators:

  • HTTP requests containing 'PowerShell' in Autodiscover endpoints
  • Unusual outbound connections from Exchange servers
  • Traffic to known malicious IPs from Exchange servers

SIEM Query:

source="IIS" AND (url="/autodiscover/autodiscover.json" OR url="/ecp/*") AND (method="POST" OR method="PROPFIND") AND (user_agent="*ExchangeServicesClient/*" OR user_agent="*") AND size>10000

📊 Metadata

CVE ID: CVE-2021-34473
CVSS v3 Score: 9.1 (CRITICAL)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
CWE: CWE-918
Published: July 14, 2021
Last Updated: October 29, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2021-34473, you might also want to check these:

CVE-2023-3432 10.0

This CVE describes a Server-Side Request Forgery (SSRF) vulnerability in PlantUML versions prior to ...

Same vulnerability type (CWE-918)
CVE-2025-2828 10.0

This Server-Side Request Forgery (SSRF) vulnerability in langchain-community's RequestsToolkit allow...

Same vulnerability type (CWE-918)
CVE-2023-43654 10.0

TorchServe versions 0.1.0 to 0.8.1 have a critical vulnerability where the default configuration lac...

Same vulnerability type (CWE-918)