Threats / Microsoft / CVE-2021-26855
CVE-2021-26855
· EUVD no mirror located
· GCVE no mirror located
Verified 2026-06-22
Microsoft Exchange Server vulnerability
Microsoft Exchange Server remote code execution vulnerability enabling unauthenticated attackers to execute arbitrary code through the ProxyLogon exploit chain.
Verdict
Today item, not a backlog item.
Critical server-side request forgery leading to remote code execution. Actively exploited in ransomware campaigns with 94% probability of exploitation attempts. Requires immediate patching of all Exchange Server instances.
CISA KEV Yes · 2021-11-033Ransomware use Flagged3EPSS 0.99999 (verify live)4Exploit Weaponized · public PoC5
01
Is it exploitable?
— the evidence, ranked above the scoreExploit available
Fully weaponized — public exploit code is cataloged for this vulnerability.We link the existence of the exploit; we do not host or redistribute payloads.
Reported exploitation
1030 independent public reports of in-the-wild exploitation are cataloged.Distinct reporting sources (vendor, incident response, government); open them for the underlying claims.
Exploited in the wild
Listed in the CISA Known Exploited Vulnerabilities catalog (added 2021-11-03), flagged for known ransomware use.
Probability (EPSS)
EPSS 0.99999 — modeled likelihood of exploitation activity.EPSS is a daily-changing model output — open the source for today's value.
Severity / affected
Affected: Microsoft, Exchange Server. Confirm exact fixed builds in the vendor advisory.
Weakness (CWE)
Mapped to CWE-918 Server-Side Request Forgery (SSRF).CWE assignment from the public NVD record; the weakness class drives how the flaw is exploited.
02
Who’s exploiting it?
— attribution turns risk into urgencyHAFNIUM State-sponsored (PRC)
CISA's AA21-062A and the Microsoft Threat Intelligence Center attribute the ProxyLogon Exchange exploitation chain to HAFNIUM (now tracked as Silk Typhoon), a state-sponsored group assessed to operate out of the PRC, naming both the group and the Exchange CVEs.14
03
Why it matters
— the attack path, told twice: adversary, then board1
Front door — unauthenticated access narrative 1
Attacker
I craft a malicious HTTP request exploiting the server-side request forgery to bypass authentication controls.
Business
Attackers gain initial network access without valid credentials, establishing foothold in email infrastructure.
2
Keys to the kingdom — privilege/identity takeover narrative 2
Attacker
I leverage the SSRF to execute arbitrary code on the Exchange Server with system privileges.
Business
Complete compromise of email systems enables data exfiltration, lateral movement, and deployment of ransomware payloads.
3
Lateral reach — past segmentation narrative 3
Attacker
I establish persistent access and deploy ransomware across the compromised environment.
Business
Organization faces operational shutdown, data encryption, extortion demands, and regulatory breach notification obligations.
04
What to do
— defensible action- Remediate per the vendor advisory — confirm the fixed build for your version and verify exposure.1
Say it to the boardA vulnerability with this evidence profile is a defensible budget line, not a backlog ticket — fund the change against the proof above.
05