Skip to main content
CVE Vulnerability Database
Vulnerability Database/CVE-2021-27065

CVE-2021-27065: Microsoft Exchange Server RCE Vulnerability

CVE-2021-27065 is a remote code execution vulnerability in Microsoft Exchange Server that enables attackers to execute arbitrary code on vulnerable systems. This article covers technical details, affected versions, and mitigation.

Published:

CVE-2021-27065 Overview

CVE-2021-27065 is a remote code execution vulnerability in Microsoft Exchange Server, part of the notorious ProxyLogon attack chain that was actively exploited in the wild. This vulnerability allows an authenticated attacker to write arbitrary files to the server, which can lead to remote code execution. The flaw resides in the Exchange Control Panel (ECP) component and enables attackers to write webshells to accessible directories on the Exchange server.

Critical Impact

This vulnerability has been actively exploited in the wild and is listed in CISA's Known Exploited Vulnerabilities catalog. When chained with CVE-2021-26855 (server-side request forgery), attackers can achieve unauthenticated remote code execution on vulnerable Exchange servers, potentially compromising entire enterprise email infrastructures.

Affected Products

  • Microsoft Exchange Server 2013 (SP1 through Cumulative Update 21)
  • Microsoft Exchange Server 2016 (Cumulative Update 8 through Cumulative Update 19)
  • Microsoft Exchange Server 2019 (RTM through Cumulative Update 8)

Discovery Timeline

  • March 3, 2021 - CVE-2021-27065 published to NVD
  • December 18, 2025 - Last updated in NVD database

Technical Details for CVE-2021-27065

Vulnerability Analysis

CVE-2021-27065 is a post-authentication arbitrary file write vulnerability (CWE-22 - Path Traversal) in Microsoft Exchange Server. The vulnerability exists in the Exchange Control Panel (ECP) functionality, specifically in how it handles Virtual Directory (VDir) configuration operations. An authenticated attacker can manipulate the VDir configuration to write arbitrary content to files on the Exchange server.

This vulnerability is particularly dangerous when combined with CVE-2021-26855, a server-side request forgery (SSRF) vulnerability that allows bypassing authentication. Together, these vulnerabilities form what security researchers dubbed "ProxyLogon" - enabling unauthenticated remote code execution against internet-facing Exchange servers.

The exploitation typically results in webshell deployment, giving attackers persistent access to compromised servers with the privileges of the Exchange service account (often SYSTEM-level access).

Root Cause

The root cause is improper validation of file paths during Virtual Directory configuration export operations in the Exchange Control Panel. The application fails to properly sanitize user-controlled input that influences file write operations, allowing path traversal sequences to write files to arbitrary locations on the file system. This constitutes a classic path traversal vulnerability (CWE-22) where insufficient input validation enables attackers to escape intended directory constraints.

Attack Vector

The attack requires an authenticated session to the Exchange Control Panel, which can be obtained through the companion SSRF vulnerability (CVE-2021-26855) or legitimate credentials. Once authenticated, the attacker:

  1. Accesses the Exchange Admin Center (EAC/ECP)
  2. Manipulates the OAB (Offline Address Book) Virtual Directory configuration
  3. Injects a webshell payload into the external URL field
  4. Triggers a VDir reset operation that writes the malicious content to a web-accessible location
  5. Accesses the deployed webshell for persistent command execution

The exploitation allows attackers to write ASPX webshells to directories served by IIS, providing a backdoor for executing arbitrary commands on the server. Public exploits are available through Packet Storm Security.

Detection Methods for CVE-2021-27065

Indicators of Compromise

  • Presence of unexpected ASPX files in Exchange web directories (particularly C:\inetpub\wwwroot\aspnet_client\ and C:\Program Files\Microsoft\Exchange Server\V15\FrontEnd\HttpProxy\owa\auth\)
  • Webshell files with suspicious names or recent timestamps in IIS directories
  • Modified OAB Virtual Directory external URL configurations containing script content
  • Evidence of China Chopper or similar webshell artifacts in web-accessible directories

Detection Strategies

  • Monitor Exchange IIS logs for POST requests to unusual ASPX files that were recently created
  • Scan Exchange server file systems for known webshell signatures and anomalous ASPX files
  • Review Windows Event Logs for unusual process spawning from w3wp.exe (IIS worker process)
  • Implement file integrity monitoring on Exchange web directories to detect unauthorized file creation
  • Query ECP logs for suspicious Virtual Directory configuration changes

Monitoring Recommendations

  • Enable enhanced Exchange audit logging and review ECP administrative actions regularly
  • Configure alerts for new file creation in Exchange web directories and IIS application folders
  • Monitor network traffic for connections to newly created or suspicious endpoints on Exchange servers
  • Deploy endpoint detection and response (EDR) solutions to identify post-exploitation activities such as webshell access and command execution

How to Mitigate CVE-2021-27065

Immediate Actions Required

  • Apply Microsoft security updates immediately for all affected Exchange Server versions
  • Run the Microsoft Safety Scanner on Exchange servers to detect and remove webshells
  • Search Exchange servers for indicators of compromise including suspicious ASPX files and modified configurations
  • If compromise is detected, consider the server compromised and initiate incident response procedures
  • Restrict internet access to Exchange services where possible until patching is complete

Patch Information

Microsoft released security updates to address this vulnerability on March 2, 2021. Organizations should apply the appropriate cumulative update and security update for their Exchange Server version:

  • Exchange Server 2013: Apply Cumulative Update 23 with the March 2021 security update
  • Exchange Server 2016: Apply Cumulative Update 19 or 20 with the March 2021 security update
  • Exchange Server 2019: Apply Cumulative Update 8 or 9 with the March 2021 security update

Refer to the Microsoft Security Advisory for CVE-2021-27065 for specific patch downloads and installation guidance.

Workarounds

  • Implement URL Rewrite rules to block known exploitation paths to the ECP endpoint
  • Restrict ECP access to trusted internal networks only using firewall rules
  • Disable Unified Messaging and OAB services if not required until patches can be applied
  • Place Exchange servers behind a VPN or implement additional authentication layers for administrative interfaces
bash
# Example: Check for suspicious ASPX files in common webshell locations
# Run on Exchange Server to identify potential webshells

Get-ChildItem -Path "C:\inetpub\wwwroot\aspnet_client" -Recurse -Include *.aspx
Get-ChildItem -Path "C:\Program Files\Microsoft\Exchange Server\V15\FrontEnd\HttpProxy\owa\auth" -Include *.aspx

# Check OAB Virtual Directory configuration for suspicious content
Get-OabVirtualDirectory | Select-Object Server,ExternalUrl | Format-List

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.