| CVE ID | CVE-2021-26855 (part of a chain with CVE-2021-26857, CVE-2021-26858, CVE-2021-27065) |
| Affected software | Microsoft Exchange Server 2013, 2016, and 2019 (on-premises) |
| Severity | CVSS 9.1 (Critical) — unauthenticated access to mailbox data, chainable to full server compromise |
| Fixed in | Microsoft's emergency security updates, March 2, 2021 |
| Disclosed | March 2, 2021, as an actively exploited zero-day |
What Happened
CVE-2021-26855 was a server-side request forgery (SSRF) flaw: it let an attacker send a specially crafted web request to Exchange's front-end and trick the server into authenticating on the attacker's behalf against its own back-end, without ever supplying valid credentials. On its own this exposed mailbox contents; chained with three other bugs in the same Exchange components, it let attackers write a file to the server — in practice, a web-based backdoor giving persistent remote access.
What This Means
This was a zero-day: it was already being actively exploited in the wild by the time Microsoft and the public learned of it, which means there was no window to patch before attacks began. Because it required no valid login and could be chained all the way to remote code execution, it gave attackers a complete path from "anonymous internet user" to "full control of a mail server."
Why You Should Care
Exchange servers sit at the center of an organization's email and often have deep integration with Active Directory. ProxyLogon mattered because of the scale and speed of exploitation: once the vulnerability chain became public, attackers other than the original group raced to compromise as many internet-facing Exchange servers as possible before patches could be applied, planting web shells for later use.
What You Can Do
- Apply emergency/out-of-band patches immediately for internet-facing mail and collaboration servers — these are high-value, high-exposure targets.
- After patching, actively hunt for indicators of prior compromise (such as unexpected web shell files); patching alone doesn't remove a backdoor planted before the patch.
- Limit direct internet exposure of on-premises Exchange where possible, for example by placing it behind a properly configured reverse proxy or VPN.
- Subscribe to vendor security advisories and have a process to apply emergency patches outside the normal update cycle when a zero-day is disclosed.
Within days of disclosure, tens of thousands of Exchange servers worldwide were found compromised with web shell backdoors, as multiple unrelated attacker groups exploited the published details before organizations could patch.
A chain of bugs in Exchange Server let attackers go from anonymous internet access to a persistent backdoor on a mail server — and the attacks started before a patch ever existed.
Explore More CVEs