9.8

CVE-2021-26855

Warnung
Medienbericht
Exploit

Microsoft Exchange Server Remote Code Execution Vulnerability

Microsoft Exchange Server Remote Code Execution Vulnerability
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
MicrosoftExchange Server Version2013 Updatecumulative_update_21
MicrosoftExchange Server Version2013 Updatecumulative_update_22
MicrosoftExchange Server Version2013 Updatecumulative_update_23
MicrosoftExchange Server Version2016 Updatecumulative_update_10
MicrosoftExchange Server Version2016 Updatecumulative_update_11
MicrosoftExchange Server Version2016 Updatecumulative_update_12
MicrosoftExchange Server Version2016 Updatecumulative_update_13
MicrosoftExchange Server Version2016 Updatecumulative_update_14
MicrosoftExchange Server Version2016 Updatecumulative_update_15
MicrosoftExchange Server Version2016 Updatecumulative_update_16
MicrosoftExchange Server Version2016 Updatecumulative_update_17
MicrosoftExchange Server Version2016 Updatecumulative_update_18
MicrosoftExchange Server Version2016 Updatecumulative_update_19
MicrosoftExchange Server Version2016 Updatecumulative_update_8
MicrosoftExchange Server Version2016 Updatecumulative_update_9
MicrosoftExchange Server Version2019 Update-
MicrosoftExchange Server Version2019 Updatecumulative_update_1
MicrosoftExchange Server Version2019 Updatecumulative_update_2
MicrosoftExchange Server Version2019 Updatecumulative_update_3
MicrosoftExchange Server Version2019 Updatecumulative_update_4
MicrosoftExchange Server Version2019 Updatecumulative_update_5
MicrosoftExchange Server Version2019 Updatecumulative_update_6
MicrosoftExchange Server Version2019 Updatecumulative_update_7
MicrosoftExchange Server Version2019 Updatecumulative_update_8

03.11.2021: CISA Known Exploited Vulnerabilities (KEV) Catalog

Microsoft Exchange Server Remote Code Execution Vulnerability

Schwachstelle

Microsoft Exchange Server contains an unspecified vulnerability that allows for remote code execution. This vulnerability is part of the ProxyLogon exploit chain.

Beschreibung

Apply updates per vendor instructions.

Erforderliche Maßnahmen
EPSS Metriken
Typ Quelle Score Percentile
EPSS FIRST.org 100% 1
CVSS Metriken
Quelle Base Score Exploit Score Impact Score Vector String
nvd@nist.gov 7.5 10 6.4
AV:N/AC:L/Au:N/C:P/I:P/A:P
nvd@nist.gov 9.8 3.9 5.9
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
secure@microsoft.com 9.1 3.9 5.2
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
CWE-918 Server-Side Request Forgery (SSRF)

The web server receives a URL or similar request from an upstream component and retrieves the contents of this URL, but it does not sufficiently ensure that the request is being sent to the expected destination.

Für Zugriff zu Vulnerability Intelligence ist ein VulnDex Zugang erforderlich.
VulnDex Intel
Media Report
26.06.2026 21:08
http://packetstormsecurity.com/files/161846/Microsoft-Exchange-2019-SSRF-Arbitrary-File-Write.html
Third Party Advisory
Exploit
VDB Entry
http://packetstormsecurity.com/files/161938/Microsoft-Exchange-ProxyLogon-Remote-Code-Execution.html
Third Party Advisory
Exploit
VDB Entry
http://packetstormsecurity.com/files/162610/Microsoft-Exchange-2019-Unauthenticated-Email-Download.html
Third Party Advisory
Exploit
VDB Entry
http://packetstormsecurity.com/files/162736/Microsoft-Exchange-ProxyLogon-Collector.html
Third Party Advisory
Exploit
VDB Entry
https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-26855
Patch
Vendor Advisory
https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2021-26855
US Government Resource