Safeguard
Vulnerability Analysis

ProxyLogon Microsoft Exchange RCE chain (CVE-2021-26855)

A deep dive into ProxyLogon (CVE-2021-26855 and chain): the unauthenticated Exchange RCE that enabled HAFNIUM and mass ransomware attacks.

Nayan Dey
Security Researcher
7 min read

A single unauthenticated HTTP request was all it took. CVE-2021-26855, the server-side request forgery (SSRF) flaw at the heart of the ProxyLogon exploit chain, let attackers impersonate the Exchange server to itself and forge authentication — no credentials, no phishing, no user interaction required. Chained with three follow-on bugs, it delivered full unauthenticated remote code execution on Microsoft Exchange Server, and within weeks of disclosure it was used to compromise tens of thousands of organizations worldwide, from small businesses to national governments. ProxyLogon remains one of the most consequential vulnerability disclosures in the history of enterprise email infrastructure, and it is a textbook case study in why "patch when convenient" is not a viable strategy for internet-facing mail servers.

The vulnerability

ProxyLogon is not one CVE but a chain of four:

  • CVE-2021-26855 — SSRF in Exchange's Client Access Service (CAS). By manipulating the front-end X-BEResource cookie/header used in Exchange's proxy architecture, an unauthenticated attacker can trick the server into routing a request to itself with elevated privileges, effectively bypassing authentication.
  • CVE-2021-26857 — Insecure deserialization in the Unified Messaging service, which runs as SYSTEM. Exploiting it requires either admin credentials or, critically, the access obtained via CVE-2021-26855.
  • CVE-2021-26858 and CVE-2021-27065 — Post-authentication arbitrary file write vulnerabilities in Exchange's Client Access and admin components, which attackers use to drop a webshell once authenticated access has been faked.

Chained together, the sequence is: SSRF grants a forged authenticated session → deserialization bug or file-write flaw drops an arbitrary file (typically an ASPX webshell) into an IIS-reachable path → the attacker now has code execution as SYSTEM on the mail server, with a durable backdoor to return to. Security researcher Orange Tsai of DEVCORE discovered the chain and demonstrated it live at Pwn2Own-style research, reporting it to Microsoft in early January 2021.

Affected versions and components

ProxyLogon affects on-premises Microsoft Exchange Server only — Exchange Online (Microsoft 365) was never vulnerable because it does not run the same CAS proxy architecture in customer-managed form. Affected on-prem builds included:

  • Microsoft Exchange Server 2013 (all Cumulative Updates prior to CU23)
  • Microsoft Exchange Server 2016 (prior to CU19/CU20)
  • Microsoft Exchange Server 2019 (prior to CU8/CU9)

Exchange Server 2010 was not part of the original ProxyLogon chain but received a related patch out of caution. Any organization running on-prem or hybrid Exchange with the Client Access role exposed to the internet — which is the default deployment pattern for OWA (Outlook Web Access) and Autodiscover — was exposed by default, with no attacker-side prerequisites beyond network reachability to port 443.

CVSS, EPSS, and KEV context

  • CVE-2021-26855: CVSS v3.1 base score 9.1 (Critical) — network, no privileges required, no user interaction, high impact to confidentiality and integrity.
  • CVE-2021-26857: CVSS 7.8 (High).
  • CVE-2021-26858 / CVE-2021-27065: CVSS 7.8 (High) each.
  • Chained severity: treated across the industry as a critical, pre-auth RCE — several vendors and Microsoft's own advisories describe the practical impact of the chain as equivalent to a 9.8-class unauthenticated RCE.
  • EPSS: ProxyLogon's components consistently score in the highest EPSS percentile (upper 90s), reflecting sustained, high-volume real-world exploitation years after disclosure — old Exchange boxes are still being scanned and hit today.
  • CISA KEV: All four CVEs in the chain are listed in CISA's Known Exploited Vulnerabilities catalog, and ProxyLogon was one of the vulnerabilities that helped justify the KEV program's creation, alongside CISA Emergency Directive 21-02, which mandated federal agencies patch or disconnect vulnerable Exchange servers within days.

Timeline

  • August 2020 — Orange Tsai (DEVCORE) discovers the SSRF and chains it with the deserialization/file-write bugs during independent research.
  • January 5, 2021 — DEVCORE reports the chain to Microsoft's MSRC.
  • Early January 2021 — Before a patch exists, the threat actor tracked by Microsoft as HAFNIUM (widely attributed to a China-based espionage group) begins exploiting the chain in the wild against U.S.-based targets, including defense contractors, think tanks, and universities.
  • February 2021 — Exploitation broadens beyond HAFNIUM as other actors independently discover or acquire the technique; scanning activity increases sharply.
  • March 2, 2021 — Microsoft releases out-of-band security updates for CVE-2021-26855, -26857, -26858, and -27065, a full week ahead of the normal Patch Tuesday cadence — a strong signal of how urgently Microsoft viewed active exploitation.
  • March 3–12, 2021 — Proof-of-concept exploit code is published publicly, triggering mass, indiscriminate scanning and exploitation by dozens of unrelated threat actors, including cryptomining crews and the operators of DearCry ransomware.
  • March 15, 2021 — Microsoft ships the Exchange On-premises Mitigation Tool (EOMT) for organizations that cannot immediately patch.
  • Ongoing — Estimates at the time put compromised server counts in the tens of thousands globally; internet-wide scanning for unpatched Exchange servers continues to this day, and the chain is regularly cited in ransomware and espionage incident reports years later.

Remediation steps

If you operate on-premises Exchange, treat this as an active, evergreen threat — not a 2021 news story.

  1. Patch immediately to a supported, fully updated Cumulative Update. Apply the latest Exchange Server Security Update for your CU level (2013 CU23, 2016 CU19/CU20+, 2019 CU8/CU9+), then keep current — Exchange servers routinely fall multiple CUs behind because updates require careful scheduling.
  2. Run Microsoft's Exchange Health Checker and Test-ProxyLogon.ps1 (or the successor Exchange On-premises Mitigation Tool) to confirm patch status and scan for known indicators of prior compromise.
  3. Hunt for webshells and persistence. Search inetpub\wwwroot\aspnet_client and OWA/ECP virtual directories for unexpected .aspx files; China Chopper and similar single-line webshells were the most common payload dropped via this chain.
  4. Review IIS and Exchange HTTP logs for anomalous POST requests to /owa/, /ecp/, and /autodiscover/ with unusual X-BEResource or X-AnonResource header values, or for unauthenticated requests preceding suspicious file writes.
  5. Rotate credentials and audit for lateral movement if any indicator of compromise is found — assume domain-level compromise until proven otherwise, since HAFNIUM-style intrusions frequently used Exchange access as a beachhead for broader Active Directory compromise.
  6. Reduce exposure by placing Exchange Client Access services behind a VPN or reverse proxy with strict access controls where business requirements allow, and disable Unified Messaging if it is not in active use.
  7. Enable AMSI integration on Exchange (supported since the September 2021 CU) so that endpoint protection can inspect payloads passed to IIS at runtime, adding a detection layer against future chain variants.
  8. Track downstream CVEs. Exchange has had multiple related post-auth chains since (ProxyShell, ProxyNotShell, ProxyOracle) that reuse similar CAS-proxy architecture flaws — patch cadence discipline matters more than any single CVE.

How Safeguard Helps

Chains like ProxyLogon are exactly why point-in-time vulnerability scanning isn't enough — you need to know which of your exposed assets actually run the vulnerable Exchange components, and whether the affected code paths are reachable from the internet-facing surface attackers actually hit. Safeguard's reachability analysis correlates your SBOM inventory against live exploit paths, so instead of a flat list of "Exchange servers with CVE-2021-26855" you get a prioritized view of which instances have the vulnerable CAS proxy component actually exposed and reachable. Griffin AI, Safeguard's detection and triage engine, continuously ingests KEV, EPSS, and exploitation telemetry to re-rank findings like ProxyLogon above lower-urgency CVEs the moment real-world exploitation signals spike — exactly what happened in March 2021. Safeguard's SBOM generation and ingestion pipeline gives you a durable, queryable record of every Exchange build and CU level across your fleet, so "are we patched everywhere" becomes a query instead of a fire drill. And where a fix is available, Safeguard can open auto-fix pull requests for supporting infrastructure-as-code and configuration repositories, cutting the time between disclosure and remediation for the parts of your stack that live in version control. For infrastructure like Exchange that predates modern SBOM tooling, Safeguard still gives your team the prioritized, exploit-aware visibility needed to patch the right systems first.

Never miss an update

Weekly insights on software supply chain security, delivered to your inbox.