Attacker Value
Very High
(2 users assessed)
(2 users assessed)
User Interaction
Privileges Required
Attack Vector


Disclosure Date: March 03, 2021
Exploited in the Wild
Add MITRE ATT&CK tactics and techniques that apply to this CVE.


Microsoft Exchange Server Remote Code Execution Vulnerability This CVE ID is unique from CVE-2021-26412, CVE-2021-26854, CVE-2021-26855, CVE-2021-26857, CVE-2021-26858, CVE-2021-27078.

Add Assessment

Technical Analysis

When used with CVE-2021-26855, an unauthenticated SSRF, CVE-2021-27065 yields unauthed, SYSTEM-level RCE against a vulnerable Exchange Server. On its own, exploiting this vulnerability requires access to the EAC/ECP interface, which is a privileged and authenticated web interface.

I was able to identify the relevant endpoints a few days ago using a combination of patch analysis and manual testing, and I successfully wrote an arbitrary file (sans SSRF) to the target’s filesystem (UNC path). Ironically, I was looking at the virtual directory settings for EWS, but “OAB” caught my eye due to its published IOCs. (OAB is Microsoft’s implementation of offline address books in Exchange.)

Writing an ASPX shell is the easiest way to achieve RCE using CVE-2021-27065, so make sure to look for filesystem IOCs. These IOCs are well-documented by Microsoft and other entities. Bear in mind that attackers will try to use clever or randomized filenames to evade detection.

Technical Analysis

This is a post-authentication arbitrary file write vulnerability that has been actively exploited. Now, an exploit module has been added to Metasploit, which leverages both the Server-Side Request Forgery vulnerability identified as CVE-2021-26855 and this arbitrary file write vulnerability. The SSRF is mainly used to retrieve internal information such as the user SID, session ID, canary value, etc. It also allows bypassing authentication to exploit CVE-2021-27065 and creates a custom .aspx web page that embeds a web shell. Once this backdoor is planted, the module uses it to stage the actual payload and execute it.

Note that, for this exploit to work, two Exchange Servers are needed. One is the host the module directly sends requests to and the other server is the internal resource the SSRF targets. The Exchange Admin Center (EAC) web interface, usually located at https://<ServerFQDN>/ecp, needs to be accessible on at least one server. Also, the email address of an Administrator on the Exchange server needs to be provided to the module. It is not really something difficult to obtain, as long as you know the name of an admin and the email pattern used internally.

CVSS V3 Severity and Metrics
Base Score:
7.8 High
Impact Score:
Exploitability Score:
Attack Vector (AV):
Attack Complexity (AC):
Privileges Required (PR):
User Interaction (UI):
Scope (S):
Confidentiality (C):
Integrity (I):
Availability (A):

General Information


  • Microsoft


  • Microsoft Exchange Server 2013,
  • Microsoft Exchange Server 2016 Cumulative Update 14,
  • Microsoft Exchange Server 2019 Cumulative Update 4,
  • Microsoft Exchange Server 2016 Cumulative Update 15,
  • Microsoft Exchange Server 2019 Cumulative Update 5,
  • Microsoft Exchange Server 2019 Cumulative Update 6,
  • Microsoft Exchange Server 2016 Cumulative Update 16,
  • Microsoft Exchange Server 2019 Cumulative Update 7,
  • Microsoft Exchange Server 2016 Cumulative Update 18,
  • Microsoft Exchange Server 2016 Cumulative Update 19,
  • Microsoft Exchange Server 2019 Cumulative Update 8

Exploited in the Wild

Reported by:

Additional Info

Technical Analysis