Attacker Value
Very High
(1 user assessed)
Exploitability
Very High
(1 user assessed)
User Interaction
None
Privileges Required
None
Attack Vector
Local
2

CVE-2021-34523

Disclosure Date: July 14, 2021
CVE-2021-34523 CVSS v3 Base Score: 9.0
Exploited in the Wild
Reported by gwillcox-r7 and 2 more...
View Source Details
Add MITRE ATT&CK tactics and techniques that apply to this CVE.
Initial Access
Techniques
Validation
Validated

Description

Microsoft Exchange Server Elevation of Privilege Vulnerability

Add Assessment

1
Ratings
  • Attacker Value
    Very High
  • Exploitability
    Very High
CISA KEV ListedCommon in enterpriseEasy to weaponizeObserved in ransomware attacks
Technical Analysis

CVE-2021-34523 is a privilege escalation vulnerability in Microsoft Exchange Server that arises due to improper validation of PowerShell remoting requests. This vulnerability enables an attacker to elevate their privileges within the Exchange server environment.
Affected Versions

The vulnerability affects the following versions of Exchange Server:

Microsoft Exchange Server 2013
Microsoft Exchange Server 2016
Microsoft Exchange Server 2019

Root Cause

The issue stems from insufficient authentication and access controls in the Exchange PowerShell backend interface. Specifically, the Exchange PowerShell service fails to properly validate caller identities and privileges, which can be exploited to execute commands with elevated permissions.
Exploitation

An attacker with authenticated access to the Exchange server (e.g., as a low-privilege user) can exploit this vulnerability by:

Crafting Malicious PowerShell Requests: Sending specially crafted requests to the Exchange PowerShell endpoint.
Escalating Privileges: Abusing the vulnerability to gain higher-level privileges, such as those of a Domain Admin or SYSTEM account.
Remote Code Execution (Chained Exploitation): Combining this vulnerability with others (e.g., CVE-2021-34473) can lead to full remote compromise.

CISA released an updated advisory on the BianLian ransomware group including the vulnerabilities the group is using to gain initial access towards victims.

https://www.cisa.gov/sites/default/files/2024-11/aa23-136a-joint-csa-stopransomware-bianlian-ransomware-group.pdf

Log in to Add Reply
CVSS V3 Severity and Metrics
Base Score:
9.0 Critical
Impact Score:
5.8
Exploitability Score:
2.5
Vector:
CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:N
Attack Vector (AV):
Local
Attack Complexity (AC):
Low
Privileges Required (PR):
None
User Interaction (UI):
None
Scope (S):
Changed
Confidentiality (C):
High
Integrity (I):
High
Availability (A):
None

General Information

Offensive Application
Unknown
Utility Class
Unknown
Ports
Unknown
OS
Unknown
Vulnerable Versions
Microsoft Exchange Server 2013 Cumulative Update 23 15.00.1497.015
Microsoft Exchange Server 2019 Cumulative Update 9 15.02.0858.010
Microsoft Exchange Server 2016 Cumulative Update 20 15.01.2242.008
Microsoft Exchange Server 2016 Cumulative Update 19 15.01.2176.012
Microsoft Exchange Server 2019 Cumulative Update 8 15.02.0792.013
Prerequisites
Unknown
Discovered By
Unknown
PoC Author
Unknown
Metasploit Module
Unknown
Reporter
Unknown

Vendors

  • microsoft

Products

  • exchange server 2013,
  • exchange server 2016,
  • exchange server 2019

Exploited in the Wild

Reported by:
Technical Analysis