CVE-2021-27065: Microsoft Exchange Server RCE Vulnerability

CVE-2021-27065 Overview

CVE-2021-27065 is a remote code execution vulnerability in Microsoft Exchange Server, part of the notorious ProxyLogon attack chain that was actively exploited in the wild. This vulnerability allows an authenticated attacker to write arbitrary files to the server, which can lead to remote code execution. The flaw resides in the Exchange Control Panel (ECP) component and enables attackers to write webshells to accessible directories on the Exchange server.

Critical Impact
This vulnerability has been actively exploited in the wild and is listed in CISA's Known Exploited Vulnerabilities catalog. When chained with CVE-2021-26855 (server-side request forgery), attackers can achieve unauthenticated remote code execution on vulnerable Exchange servers, potentially compromising entire enterprise email infrastructures.

Affected Products

Microsoft Exchange Server 2013 (SP1 through Cumulative Update 21)
Microsoft Exchange Server 2016 (Cumulative Update 8 through Cumulative Update 19)
Microsoft Exchange Server 2019 (RTM through Cumulative Update 8)

Discovery Timeline

March 3, 2021 - CVE-2021-27065 published to NVD
December 18, 2025 - Last updated in NVD database

Technical Details for CVE-2021-27065

Vulnerability Analysis

CVE-2021-27065 is a post-authentication arbitrary file write vulnerability (CWE-22 - Path Traversal) in Microsoft Exchange Server. The vulnerability exists in the Exchange Control Panel (ECP) functionality, specifically in how it handles Virtual Directory (VDir) configuration operations. An authenticated attacker can manipulate the VDir configuration to write arbitrary content to files on the Exchange server.

This vulnerability is particularly dangerous when combined with CVE-2021-26855, a server-side request forgery (SSRF) vulnerability that allows bypassing authentication. Together, these vulnerabilities form what security researchers dubbed "ProxyLogon" - enabling unauthenticated remote code execution against internet-facing Exchange servers.

The exploitation typically results in webshell deployment, giving attackers persistent access to compromised servers with the privileges of the Exchange service account (often SYSTEM-level access).

Root Cause

The root cause is improper validation of file paths during Virtual Directory configuration export operations in the Exchange Control Panel. The application fails to properly sanitize user-controlled input that influences file write operations, allowing path traversal sequences to write files to arbitrary locations on the file system. This constitutes a classic path traversal vulnerability (CWE-22) where insufficient input validation enables attackers to escape intended directory constraints.

Attack Vector

The attack requires an authenticated session to the Exchange Control Panel, which can be obtained through the companion SSRF vulnerability (CVE-2021-26855) or legitimate credentials. Once authenticated, the attacker:

Accesses the Exchange Admin Center (EAC/ECP)
Manipulates the OAB (Offline Address Book) Virtual Directory configuration
Injects a webshell payload into the external URL field
Triggers a VDir reset operation that writes the malicious content to a web-accessible location
Accesses the deployed webshell for persistent command execution

The exploitation allows attackers to write ASPX webshells to directories served by IIS, providing a backdoor for executing arbitrary commands on the server. Public exploits are available through Packet Storm Security.

Detection Methods for CVE-2021-27065

Indicators of Compromise

Presence of unexpected ASPX files in Exchange web directories (particularly C:\inetpub\wwwroot\aspnet_client\ and C:\Program Files\Microsoft\Exchange Server\V15\FrontEnd\HttpProxy\owa\auth\)
Webshell files with suspicious names or recent timestamps in IIS directories
Modified OAB Virtual Directory external URL configurations containing script content
Evidence of China Chopper or similar webshell artifacts in web-accessible directories

Detection Strategies

Monitor Exchange IIS logs for POST requests to unusual ASPX files that were recently created
Scan Exchange server file systems for known webshell signatures and anomalous ASPX files
Review Windows Event Logs for unusual process spawning from w3wp.exe (IIS worker process)
Implement file integrity monitoring on Exchange web directories to detect unauthorized file creation
Query ECP logs for suspicious Virtual Directory configuration changes

Monitoring Recommendations

Enable enhanced Exchange audit logging and review ECP administrative actions regularly
Configure alerts for new file creation in Exchange web directories and IIS application folders
Monitor network traffic for connections to newly created or suspicious endpoints on Exchange servers
Deploy endpoint detection and response (EDR) solutions to identify post-exploitation activities such as webshell access and command execution

How to Mitigate CVE-2021-27065

Immediate Actions Required

Apply Microsoft security updates immediately for all affected Exchange Server versions
Run the Microsoft Safety Scanner on Exchange servers to detect and remove webshells
Search Exchange servers for indicators of compromise including suspicious ASPX files and modified configurations
If compromise is detected, consider the server compromised and initiate incident response procedures
Restrict internet access to Exchange services where possible until patching is complete

Patch Information

Microsoft released security updates to address this vulnerability on March 2, 2021. Organizations should apply the appropriate cumulative update and security update for their Exchange Server version:

Exchange Server 2013: Apply Cumulative Update 23 with the March 2021 security update
Exchange Server 2016: Apply Cumulative Update 19 or 20 with the March 2021 security update
Exchange Server 2019: Apply Cumulative Update 8 or 9 with the March 2021 security update

Refer to the Microsoft Security Advisory for CVE-2021-27065 for specific patch downloads and installation guidance.

Workarounds

Implement URL Rewrite rules to block known exploitation paths to the ECP endpoint
Restrict ECP access to trusted internal networks only using firewall rules
Disable Unified Messaging and OAB services if not required until patches can be applied
Place Exchange servers behind a VPN or implement additional authentication layers for administrative interfaces

bash

# Example: Check for suspicious ASPX files in common webshell locations
# Run on Exchange Server to identify potential webshells

Get-ChildItem -Path "C:\inetpub\wwwroot\aspnet_client" -Recurse -Include *.aspx
Get-ChildItem -Path "C:\Program Files\Microsoft\Exchange Server\V15\FrontEnd\HttpProxy\owa\auth" -Include *.aspx

# Check OAB Virtual Directory configuration for suspicious content
Get-OabVirtualDirectory | Select-Object Server,ExternalUrl | Format-List

CVE-2021-27065 Overview

Critical Impact
This vulnerability has been actively exploited in the wild and is listed in CISA's Known Exploited Vulnerabilities catalog. When chained with CVE-2021-26855 (server-side request forgery), attackers can achieve unauthenticated remote code execution on vulnerable Exchange servers, potentially compromising entire enterprise email infrastructures.

Affected Products

Microsoft Exchange Server 2013 (SP1 through Cumulative Update 21)
Microsoft Exchange Server 2016 (Cumulative Update 8 through Cumulative Update 19)
Microsoft Exchange Server 2019 (RTM through Cumulative Update 8)

Discovery Timeline

March 3, 2021 - CVE-2021-27065 published to NVD
December 18, 2025 - Last updated in NVD database

Technical Details for CVE-2021-27065

Vulnerability Analysis

The exploitation typically results in webshell deployment, giving attackers persistent access to compromised servers with the privileges of the Exchange service account (often SYSTEM-level access).

Root Cause

Attack Vector

Accesses the Exchange Admin Center (EAC/ECP)
Manipulates the OAB (Offline Address Book) Virtual Directory configuration
Injects a webshell payload into the external URL field
Triggers a VDir reset operation that writes the malicious content to a web-accessible location
Accesses the deployed webshell for persistent command execution

Detection Methods for CVE-2021-27065

Indicators of Compromise

Presence of unexpected ASPX files in Exchange web directories (particularly C:\inetpub\wwwroot\aspnet_client\ and C:\Program Files\Microsoft\Exchange Server\V15\FrontEnd\HttpProxy\owa\auth\)
Webshell files with suspicious names or recent timestamps in IIS directories
Modified OAB Virtual Directory external URL configurations containing script content
Evidence of China Chopper or similar webshell artifacts in web-accessible directories

Detection Strategies

Monitor Exchange IIS logs for POST requests to unusual ASPX files that were recently created
Scan Exchange server file systems for known webshell signatures and anomalous ASPX files
Review Windows Event Logs for unusual process spawning from w3wp.exe (IIS worker process)
Implement file integrity monitoring on Exchange web directories to detect unauthorized file creation
Query ECP logs for suspicious Virtual Directory configuration changes

Monitoring Recommendations

Enable enhanced Exchange audit logging and review ECP administrative actions regularly
Configure alerts for new file creation in Exchange web directories and IIS application folders
Monitor network traffic for connections to newly created or suspicious endpoints on Exchange servers
Deploy endpoint detection and response (EDR) solutions to identify post-exploitation activities such as webshell access and command execution

How to Mitigate CVE-2021-27065

Immediate Actions Required

Apply Microsoft security updates immediately for all affected Exchange Server versions
Run the Microsoft Safety Scanner on Exchange servers to detect and remove webshells
Search Exchange servers for indicators of compromise including suspicious ASPX files and modified configurations
If compromise is detected, consider the server compromised and initiate incident response procedures
Restrict internet access to Exchange services where possible until patching is complete

Patch Information

Microsoft released security updates to address this vulnerability on March 2, 2021. Organizations should apply the appropriate cumulative update and security update for their Exchange Server version:

Exchange Server 2013: Apply Cumulative Update 23 with the March 2021 security update
Exchange Server 2016: Apply Cumulative Update 19 or 20 with the March 2021 security update
Exchange Server 2019: Apply Cumulative Update 8 or 9 with the March 2021 security update

Refer to the Microsoft Security Advisory for CVE-2021-27065 for specific patch downloads and installation guidance.

Workarounds

Implement URL Rewrite rules to block known exploitation paths to the ECP endpoint
Restrict ECP access to trusted internal networks only using firewall rules
Disable Unified Messaging and OAB services if not required until patches can be applied
Place Exchange servers behind a VPN or implement additional authentication layers for administrative interfaces

bash

# Example: Check for suspicious ASPX files in common webshell locations
# Run on Exchange Server to identify potential webshells

Get-ChildItem -Path "C:\inetpub\wwwroot\aspnet_client" -Recurse -Include *.aspx
Get-ChildItem -Path "C:\Program Files\Microsoft\Exchange Server\V15\FrontEnd\HttpProxy\owa\auth" -Include *.aspx

# Check OAB Virtual Directory configuration for suspicious content
Get-OabVirtualDirectory | Select-Object Server,ExternalUrl | Format-List

CVE-2021-27065: Microsoft Exchange Server RCE Vulnerability

CVE-2021-27065 Overview

Critical Impact

Affected Products

Discovery Timeline

Technical Details for CVE-2021-27065

Vulnerability Analysis

Root Cause

Attack Vector

Detection Methods for CVE-2021-27065

Indicators of Compromise

Detection Strategies

Monitoring Recommendations

How to Mitigate CVE-2021-27065

Immediate Actions Required

Patch Information

Workarounds

Experience the World’s Most Advanced Cybersecurity Platform

CVE-2021-27065: Microsoft Exchange Server RCE Vulnerability

CVE-2021-27065 Overview

Critical Impact

Affected Products

Discovery Timeline

Technical Details for CVE-2021-27065

Vulnerability Analysis

Root Cause

Attack Vector

Detection Methods for CVE-2021-27065

Indicators of Compromise

Detection Strategies

Monitoring Recommendations

How to Mitigate CVE-2021-27065

Immediate Actions Required

Patch Information

Workarounds

Experience the World’s Most Advanced Cybersecurity Platform