Web Application Vulnerabilities Runtime SCA Findings
Looking for the vulnerability index of Invicti's legacy products?
Invicti Enterprise Acunetix Standard & Premium
Microsoft Exchange Server Server-Side Request Forgery (SSRF) vulnerability - Vulnerability Database

Microsoft Exchange Server Server-Side Request Forgery (SSRF) vulnerability

Description

Microsoft Exchange Server contains a Server-Side Request Forgery (SSRF) vulnerability that enables unauthenticated attackers to send arbitrary HTTP requests through the Exchange server and bypass authentication mechanisms. This vulnerability (CVE-2021-26855) is the initial entry point in a critical attack chain that, when combined with three additional vulnerabilities, allows complete server compromise:

CVE-2021-26857 - An insecure deserialization vulnerability in the Unified Messaging service that allows authenticated attackers to execute arbitrary code with SYSTEM privileges by sending maliciously crafted serialized objects.

CVE-2021-26858 - A post-authentication arbitrary file write vulnerability that permits attackers to write malicious files to any location on the Exchange server file system.

CVE-2021-27065 - A second post-authentication arbitrary file write vulnerability with similar capabilities to CVE-2021-26858, providing an alternative exploitation path.

These vulnerabilities affect on-premises deployments only. Exchange Online is not vulnerable.

Affected versions:

  • Microsoft Exchange Server 2013
  • Microsoft Exchange Server 2016
  • Microsoft Exchange Server 2019

Remediation

Apply the appropriate security updates immediately based on your Exchange Server version:

Immediate Actions:

  • Install the latest Cumulative Updates (CU) and Security Updates (SU) from Microsoft for your Exchange Server version
  • For Exchange Server 2013: Install the March 2021 security update or later
  • For Exchange Server 2016: Install the March 2021 security update or later
  • For Exchange Server 2019: Install the March 2021 security update or later
  • Run Microsoft's Exchange On-premises Mitigation Tool (EOMT) if immediate patching is not possible
  • Scan your environment using Microsoft's provided indicators of compromise (IOCs) to detect potential exploitation
Post-Patching Actions:
  • Review Exchange server logs for suspicious activity, particularly unusual authentication patterns or unexpected file modifications
  • Monitor for web shells in the following directories: C:\inetpub\wwwroot\aspnet_client\, C:\Exchange Server\FrontEnd\HttpProxy\owa\auth\
  • Implement network segmentation to limit Exchange server exposure
  • Enable and review Exchange audit logging
For detailed patching instructions and detection guidance, refer to the Microsoft Security Response Center blog post linked in the references.

References

Multiple Security Updates Released for Exchange Server - updated March 5, 2021
CVE-2021-26855

Related Vulnerabilities

Oracle E-Business Suite SSRF (CVE-2025-61882) Critical
Common tags: Code Execution SSRF
Grafana avatar SSRF High
Common tags: Code Execution SSRF
Apache Solr SSRF CVE-2017-3164 Medium
Common tags: Code Execution SSRF
Liferay XMLRPC Blind SSRF Medium
Common tags: Code Execution SSRF
Cmd hijack vulnerability High
Common tags: Code Execution

Severity

High

Classification

CVE-2021-26855
CWE-918
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Tags

Code Execution
SSRF