--- licence_title: Creative Commons Attribution 4.0 International (CC-BY 4.0) licence_link: https://creativecommons.org/licenses/by/4.0/ licence_restrictions: https://cert.europa.eu/legal-notice licence_author: CERT-EU, The Cybersecurity Service for the European Union institutions, bodies, offices and agencies title: 'Critical Vulnerability in Microsoft Exchange Server' version: '1.0' number: '2021-056' date: 'October 20, 2021' --- _History:_ * _20/10/2021 --- v1.0 -- Initial publication_ # Summary On October 12, Microsoft released in the monthly Patch Tuesday a new batch of patches fixing several vulnerabilities, one of which could lead to remote code execution on certain versions of Microsoft Exchange servers [1]. The vulnerability, identified as `CVE-2021-26427`, has a CVSS3 score of 9 out of 10 and could allow an attacker to execute remote code on _on-premise_ exchange servers [2]. According to Microsoft, the attack vector for this vulnerability is _adjacent_, which means that the attacker needs to be in the same local network as the server to be able to exploit it. No active exploitation of this vulnerability is known yet. # Technical Details There is not much detail available about how the vulnerability `CVE-2021-26427` could be exploited. Microsoft stated that the `CVE-2021-26427` is only exploitable from the same shared physical (e.g., Bluetooth or IEEE 802.11) or logical (e.g., local IP subnet) network, and it requires basic user privileges [2]. # Affected Products * Microsoft Exchange Server 2019 Cumulative Update 10 * Microsoft Exchange Server 2016 Cumulative Update 21 * Microsoft Exchange Server 2013 Cumulative Update 23 * Microsoft Exchange Server 2019 Cumulative Update 11 * Microsoft Exchange Server 2016 Cumulative Update 22 To be exploitable, Microsoft Exchange Servers have to be _on-premise_ versions of Microsoft Exchange Server. Microsoft Exchange Online is not affected by these flaws. # Recommendations Applying the update released on October 12 to Exchange servers [2] is currently the only mitigation for this vulnerability. # References [1] [2] [3]