Back to blog
ProxyLogonExchangeMicrosoftCVE-2021-26855SSRFRCE

ProxyLogon CVE-2021-26855: The Critical Microsoft Exchange Vulnerability

ProxyLogon is one of the most exploited Exchange vulnerabilities in history. Analysis of CVE-2021-26855, the full exploit chain and remediation steps.

April 23, 20263 min read

In March 2021, Microsoft disclosed ProxyLogon — a chain of vulnerabilities in Microsoft Exchange Server allowing any internet attacker to fully compromise an Exchange server without authentication. Before patches were even published, tens of thousands of servers had already been compromised by Chinese APT groups.

The ProxyLogon Chain

ProxyLogon is not a single CVE but a chain of four vulnerabilities that, combined, give full server access:

CVE-2021-26855 — Pre-authenticated SSRF (CVSS 9.8)

The core vulnerability. A Server-Side Request Forgery in Exchange's proxy component lets an attacker bypass authentication by sending specially crafted HTTP requests. The attacker can impersonate any Exchange user, including administrators.

CVE-2021-26857 — Insecure Deserialization (CVSS 7.8)

A deserialization flaw in the Unified Messaging service enables code execution with SYSTEM privileges. Requires Exchange admin rights — obtained via CVE-2021-26855.

CVE-2021-26858 and CVE-2021-27065 — Arbitrary File Write (CVSS 7.8)

After authentication (obtained via the SSRF), these vulnerabilities allow writing arbitrary files to the server, including web shells in publicly accessible directories.

The Full Chain

Internet → CVE-2021-26855 (SSRF) → Auth bypass
         → CVE-2021-26858 or 27065 → Web shell dropped
         → Full server access

Affected versions:

  • Exchange Server 2013, 2016, 2019 (on-premises only)
  • Exchange Online (Microsoft 365) not affected

Mass Exploitation Before the Patch

The HAFNIUM APT group (attributed to China by Microsoft) had been exploiting these vulnerabilities since January 2021 — two months before public disclosure. Other groups rapidly followed after patches were released on March 2, 2021.

Scale of the Attack

  • 250,000+ Exchange servers compromised within days
  • 30,000 organizations in the US affected according to KrebsOnSecurity
  • China Chopper web shells dropped on thousands of government, industrial and academic servers
  • CISA issued an emergency directive requiring federal agencies to patch within 24 hours

What Attackers Did

Once a web shell was planted, attackers would:

  1. Exfiltrate complete mailboxes (emails, contacts, calendars)
  2. Pivot to Active Directory to escalate privileges to Domain Admin
  3. Install persistent backdoors (Cobalt Strike, etc.)
  4. Deploy ransomware weeks later in some cases

Detecting a Compromise

Microsoft released an official detection script:

# Download and run Microsoft's detection script
Invoke-WebRequest -Uri https://github.com/microsoft/CSS-Exchange/releases/latest/download/Test-ProxyLogon.ps1 -OutFile Test-ProxyLogon.ps1
.\Test-ProxyLogon.ps1 -OutPath $home\desktop\logs

Indicators of Compromise (IOCs)

Check for web shells in these directories:

C:\inetpub\wwwroot\aspnet_client\
C:\Program Files\Microsoft\Exchange Server\V15\FrontEnd\HttpProxy\owa\auth\
C:\Program Files\Microsoft\Exchange Server\V15\FrontEnd\HttpProxy\ecp\auth\

Look for recent .aspx files that don't belong. Common attacker filenames: web.aspx, help.aspx, document.aspx, errorEE.aspx.

In IIS logs, look for requests to /owa/auth/ containing X-AnonResource-Backend or X-BEResource.

Remediation

1. Patch Immediately

Patches are available for Exchange 2013, 2016, and 2019. Apply the corresponding Cumulative Updates (CUs).

2. If Compromised: Isolate Before Patching

Isolate the Exchange server from the network, analyze logs, identify and remove web shells, change all passwords (Exchange accounts, local administrators, Active Directory).

3. Reduce the Attack Surface

  • Only expose Exchange to the internet if truly necessary
  • Use a WAF (Web Application Firewall) in front of Exchange
  • Enable multi-factor authentication
  • Consider migrating to Exchange Online (not affected)

4. Continuous Monitoring

Enable Exchange audit logging and forward to a SIEM. Attackers frequently return months after the initial compromise.

ProxyShell: The Sequel in 2021

Months after ProxyLogon, researchers discovered ProxyShell (CVE-2021-34473, CVE-2021-34523, CVE-2021-31207) — another critical Exchange chain, massively exploited in summer 2021. On-premises Exchange is regularly targeted: if you still run it, patch management must be an absolute priority.

Check Exchange CVEs affecting your setup on cveo.tech — register your version in your asset inventory to receive automatic alerts.

Monitor CVEs with AI

AI-powered search, CVSS scoring, asset monitoring and automatic alerts.

Try AI search →Create free account

Related articles

Patch Management Guide: How to Handle CVEs Quickly and Effectively

Learn how to build a robust CVE patch management process: SLAs by severity, key steps, tools, and common mistakes to avoid to protect your infrastructure.

How to Monitor CVE Vulnerabilities Across Your IT Assets

A complete guide to tracking and managing CVEs affecting your IT infrastructure: methods, tools, and best practices for IT teams and security managers.

How to Conduct a CVE Security Audit of Your IT Infrastructure

Complete guide to conducting a CVE security audit: asset inventory, vulnerability scanning, CVSS scoring, remediation planning, and CISO best practices.