CVE-2021-26857 Overview
CVE-2021-26857 is a remote code execution vulnerability affecting Microsoft Exchange Server. This vulnerability, classified as an insecure deserialization flaw (CWE-502), allows attackers to execute arbitrary code on affected Exchange servers through improper handling of serialized data. This vulnerability was part of the infamous ProxyLogon attack chain that was actively exploited in the wild.
Critical Impact
This vulnerability is listed in CISA's Known Exploited Vulnerabilities (KEV) catalog, indicating active exploitation in the wild. Organizations running affected versions of Microsoft Exchange Server should prioritize immediate remediation.
Affected Products
- Microsoft Exchange Server 2010 SP3
- Microsoft Exchange Server 2013 (CU22, CU23, SP1)
- Microsoft Exchange Server 2016 (CU8 through CU19)
- Microsoft Exchange Server 2019 (RTM through CU8)
Discovery Timeline
- 2021-03-03 - CVE-2021-26857 published to NVD
- 2025-12-18 - Last updated in NVD database
Technical Details for CVE-2021-26857
Vulnerability Analysis
CVE-2021-26857 is an insecure deserialization vulnerability in the Unified Messaging service of Microsoft Exchange Server. The flaw exists in how Exchange processes incoming data during deserialization operations. When exploited, attackers can achieve code execution with SYSTEM-level privileges on the Exchange server.
This vulnerability was notably used as part of a chained attack sequence alongside other Exchange vulnerabilities (CVE-2021-26855, CVE-2021-26858, and CVE-2021-27065) by threat actors including HAFNIUM, a nation-state group attributed to China. The attack chain allowed initial access through server-side request forgery (SSRF), followed by exploitation of this deserialization flaw to achieve persistent code execution.
Root Cause
The root cause of CVE-2021-26857 is improper validation and handling of serialized objects within the Exchange Unified Messaging service. The vulnerability stems from the application deserializing untrusted data without adequate verification, allowing malicious serialized objects to be processed. When the vulnerable component deserializes attacker-controlled data, it can instantiate arbitrary objects and execute code with the privileges of the Exchange Unified Messaging service, which runs as SYSTEM.
Attack Vector
The attack requires local access or authentication to exploit, typically used as a post-compromise step after initial access is obtained through other means such as CVE-2021-26855 (SSRF). An attacker who has already gained initial access to the Exchange environment can craft malicious serialized payloads targeting the Unified Messaging service. When the service processes these payloads, the deserialization process triggers code execution, enabling the attacker to:
- Execute arbitrary commands with SYSTEM privileges
- Deploy web shells for persistent access
- Exfiltrate sensitive email data and credentials
- Move laterally within the organization's network
The vulnerability requires user interaction in some attack scenarios, but when chained with other ProxyLogon vulnerabilities, it becomes part of a fully remote attack chain.
Detection Methods for CVE-2021-26857
Indicators of Compromise
- Suspicious processes spawned by the Unified Messaging service (UMService.exe or UMWorkerProcess.exe)
- Unexpected web shells in Exchange directories such as C:\inetpub\wwwroot\aspnet_client\ or C:\Program Files\Microsoft\Exchange Server\V15\FrontEnd\HttpProxy\owa\auth\
- Unusual PowerShell or command shell execution from Exchange service contexts
- Evidence of w3wp.exe spawning suspicious child processes
- Event Log entries indicating deserialization errors or crashes in Unified Messaging services
Detection Strategies
- Monitor for process creation events where parent process is UMService.exe or UMWorkerProcess.exe spawning command interpreters
- Deploy YARA rules targeting known web shell artifacts associated with Exchange exploitation campaigns
- Implement file integrity monitoring on Exchange Server web directories to detect unauthorized file creation
- Analyze Windows Event Logs for unusual .NET deserialization exceptions in the Application log
Monitoring Recommendations
- Enable enhanced Exchange Server logging including IIS logs, Exchange Management Shell audit logs, and Windows Security event logs
- Implement network monitoring for anomalous outbound connections from Exchange servers
- Use endpoint detection and response (EDR) solutions to monitor Exchange server processes for suspicious behavior patterns
- Regularly scan Exchange directories for unauthorized files or web shells using Microsoft's Exchange Server Health Checker scripts
How to Mitigate CVE-2021-26857
Immediate Actions Required
- Apply the security updates from Microsoft immediately for all affected Exchange Server versions
- Run the Microsoft Safety Scanner (MSERT) tool on Exchange servers to detect and remove known threats
- Review Exchange servers for indicators of compromise using Microsoft's test scripts and IOC detection tools
- If Unified Messaging is not required, consider disabling the service as a temporary risk reduction measure
- Isolate potentially compromised Exchange servers from the network pending investigation
Patch Information
Microsoft has released security updates addressing CVE-2021-26857. Organizations should consult the Microsoft Security Advisory CVE-2021-26857 for detailed patch information and update guidance specific to their Exchange Server version. CISA has also published guidance in their Known Exploited Vulnerabilities Catalog.
For Exchange Server 2016 and 2019, ensure the latest Cumulative Update is applied along with the security update. Exchange Server 2010 SP3 requires the associated security update despite being in extended support.
Workarounds
- Disable the Unified Messaging service if not operationally required: Set-Service MSExchangeUM -StartupType Disabled
- Implement network segmentation to limit access to Exchange servers from untrusted networks
- Deploy web application firewall (WAF) rules to filter known exploitation patterns
- Enable strict firewall rules limiting outbound connections from Exchange servers to only required destinations
# Disable Unified Messaging Service (PowerShell)
Set-Service MSExchangeUM -StartupType Disabled
Stop-Service MSExchangeUM
# Verify Exchange Server patch level
Get-ExchangeServer | Format-List Name,AdminDisplayVersion
# Check for suspicious files in web directories
Get-ChildItem -Path "C:\inetpub\wwwroot\aspnet_client\" -Recurse -Include *.aspx,*.ashx
Get-ChildItem -Path "C:\Program Files\Microsoft\Exchange Server\V15\FrontEnd\HttpProxy\owa\auth\" -Include *.aspx
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
