CVE-2021-26855 Explained: ProxyLogon and the Microsoft Exchange Mass Exploitation Event
A server-side request forgery vulnerability in Microsoft Exchange that bypasses authentication and chains with three additional CVEs to achieve pre-authentication RCE. Every on-premises Exchange server on the internet was targeted within days of patch release.
Founder & Cybersecurity Evangelist
CVE-2021-26855, known as ProxyLogon, is a critical server-side request forgery vulnerability in Microsoft Exchange Server. Discovered by DEVCORE researcher Orange Tsai and reported to Microsoft in January 2021, Microsoft released an emergency out-of-band patch on March 2, 2021 — one week after learning that the Chinese nation-state threat actor HAFNIUM was already exploiting it in the wild.
The vulnerability allows an unauthenticated remote attacker to bypass Exchange authentication by abusing a flaw in how the Exchange frontend proxy handles HTTP requests. When chained with CVE-2021-27065 (post-auth arbitrary file write), CVE-2021-26857 (insecure deserialization), and CVE-2021-26858 (post-auth arbitrary file write), an attacker achieves full pre-authentication remote code execution.
Within days of patch release, over 250,000 Exchange servers had been backdoored with web shells. Within two weeks, ten or more distinct threat actor groups were exploiting ProxyLogon, including ransomware operators, cryptominers, and multiple nation-state APTs.
How CVE-2021-26855 Works: The ProxyLogon Exploit Chain
Exchange Server exposes a frontend proxy service (accessible externally on port 443) and a backend Exchange store service. The frontend proxy is supposed to authenticate requests before forwarding them to the backend.
CVE-2021-26855 is an SSRF vulnerability in the frontend proxy. By sending a crafted HTTP request with a manipulated Cookie header, an attacker causes Exchange to make HTTP requests to internal backend endpoints on behalf of the attacker — bypassing authentication entirely and impersonating any user, including Exchange administrators.
With administrator access established via CVE-2021-26855, CVE-2021-27065 is used to write a web shell to a publicly accessible directory on the Exchange server. The attacker then accesses the web shell via HTTP to execute arbitrary commands with SYSTEM privileges.
SSRF Authentication Bypass (CVE-2021-26855)
Attacker sends a crafted HTTP POST to the Exchange Autodiscover endpoint with a manipulated Cookie header. The frontend proxy makes an authenticated backend request on the attacker's behalf, bypassing authentication.
Impersonate Administrator
The SSRF allows the attacker to make Exchange Web Services API calls as any user, including administrators. No password is required.
Write Web Shell (CVE-2021-27065)
Using the administrator session, attacker abuses the Exchange Control Panel to write a malicious .aspx web shell to a writable directory on the Exchange server.
Execute Arbitrary Commands
Attacker accesses the web shell via HTTPS, executing commands with SYSTEM privileges. Full domain compromise often follows within hours.
Affected Versions
CVE-2021-26855 affects on-premises Microsoft Exchange Server installations only. Exchange Online (Microsoft 365) is not affected.
Vulnerable versions: Exchange Server 2013 (all Cumulative Updates), Exchange Server 2016 (CU18 and CU19), Exchange Server 2019 (CU7 and CU8). Exchange Server 2010 received an exceptional out-of-band patch despite being end-of-support.
Detection and Patch Guidance
Microsoft released a ProxyLogon detection script (Test-ProxyLogon.ps1). Run this on all on-premises Exchange servers immediately. Key indicators: unexpected .aspx files in aspnet_client directories, suspicious HttpProxy log entries with external IPs in Cookie headers, and SYSTEM-level process spawns from w3wp.exe.
Run Microsoft's Test-ProxyLogon.ps1
Execute the official Microsoft detection script on all Exchange servers. It scans HTTP proxy logs and filesystem locations for known ProxyLogon IOCs.
Apply the March 2021 Exchange Security Updates
Install the Cumulative Update + Security Update packages for your Exchange version. Full patch details in Microsoft KB5000871.
Audit aspnet_client directories for web shells
Check C:\inetpub\wwwroot\aspnet_client\ and all Exchange virtual directories for any unexpected .aspx files — these are likely backdoors.
Rotate all credentials after confirmed compromise
If compromise is confirmed: rotate all Active Directory credentials, reset Exchange service account passwords, invalidate OAuth tokens, and audit admin group membership.
The bottom line
ProxyLogon remains one of the most consequential vulnerability disclosures of the 2020s. If your organization runs on-premises Exchange Server, the checklist is: patch applied, web shell scan completed, HttpProxy logs reviewed, and credential rotation completed if any indicators were found. On-premises Exchange continues to be a high-value target — consider migrating to Exchange Online.
Get threat intel before your inbox does.
50,000+ security professionals read Decryption Digest for early warnings on zero-days, ransomware, and nation-state campaigns. Free, weekly, no spam.
Unsubscribe anytime. We never sell your data.
Founder & Cybersecurity Evangelist, Decryption Digest
Cybersecurity professional with expertise in threat intelligence, vulnerability research, and enterprise security. Covers zero-days, ransomware, and nation-state operations for 50,000+ security professionals weekly.