CVE-2021-34473 Explained: ProxyShell, the Pre-Auth Exchange RCE Chain
Three chained Exchange Server vulnerabilities enabling unauthenticated remote code execution. Mass exploitation within 48 hours of technical details going public. LockFile, BlackByte, and Hive ransomware all deployed via ProxyShell.
Founder & Cybersecurity Evangelist
ProxyShell is an exploit chain combining three Microsoft Exchange Server vulnerabilities: CVE-2021-34473 (a pre-authentication path confusion), CVE-2021-34523 (an Exchange privilege elevation), and CVE-2021-31207 (a post-authentication arbitrary file write). Together, they allow an unauthenticated attacker with network access to an Exchange server to achieve remote code execution by deploying a web shell.
Discovered and presented by security researcher Orange Tsai at Black Hat USA 2021, ProxyShell went from public technical disclosure to mass exploitation within 48 hours. Multiple ransomware groups — including LockFile, BlackByte, Hive, and Conti — deployed ransomware via ProxyShell-planted web shells within weeks of the technique becoming public.
The Three-CVE ProxyShell Chain Explained
The ProxyShell chain exploits the architecture of Microsoft Exchange's Client Access Service (CAS) — specifically, how the CAS acts as a proxy between external requests and Exchange's backend services.
CVE-2021-34473 is a pre-authentication path confusion vulnerability in the CAS. Exchange's URL routing treats explicit URL paths differently from normalized paths. By manipulating the URL with specific patterns, an attacker can reach the Exchange backend's PowerShell endpoint — which is normally only accessible from internal interfaces — through the externally exposed CAS without authentication.
CVE-2021-34523 is a privilege elevation flaw in the Exchange PowerShell backend. When the backend processes requests relayed through the CAS without valid authentication tokens, it fails to properly validate the identity, allowing the attacker to impersonate any Exchange mailbox user — including the SYSTEM account or a domain administrator with a mailbox.
With these two CVEs chained, the attacker has unauthenticated access to Exchange PowerShell running as an arbitrary user. CVE-2021-31207 completes the chain: a PowerShell cmdlet (New-MailboxExportRequest) can be abused to export a specially crafted mailbox message — containing embedded ASPX web shell code in its body — to a file path within Exchange's web root. The exported file has an .aspx extension, making it executable as a web shell by the IIS server hosting Exchange OWA.
Exploit CVE-2021-34473: Path confusion to backend
Send a crafted HTTPS request to the Exchange CAS using a URL pattern that exploits the path normalization difference, causing the CAS to proxy the request to Exchange's backend PowerShell endpoint without an authentication token.
Exploit CVE-2021-34523: Impersonate any user
With access to the backend PowerShell endpoint without a valid token, exploit the identity validation flaw to impersonate an arbitrary mailbox user. Commonly used to impersonate a Domain Admin account that has an Exchange mailbox.
Create a mailbox with web shell content
Send PowerShell commands to create or access a mailbox. Send an email to that mailbox whose body contains ASPX web shell code — a JSP-equivalent script that will execute when the file is requested via HTTP.
Export mailbox message to web root (CVE-2021-31207)
Use New-MailboxExportRequest to export the mailbox (containing the web shell email) to a .aspx file path in the Exchange web root. Exchange's export mechanism writes the mailbox content — including the embedded ASPX code — to the specified file.
Execute web shell
Request the exported ASPX file via HTTPS. IIS executes the embedded web shell code, providing persistent RCE on the Exchange server with Exchange service account privileges — typically NETWORK SERVICE or a highly privileged account.
Mass Exploitation and Ransomware Deployment
Microsoft patched the ProxyShell CVEs between April and May 2021, but technical details sufficient to reproduce the exploit were not public until Orange Tsai's Black Hat USA presentation in early August 2021. Within 48 hours of the presentation, security researchers had reconstructed working exploit code, and mass scanning for vulnerable Exchange servers began.
Within a week, multiple threat actors were deploying web shells on unpatched Exchange servers at scale. The subsequent weeks saw ransomware operators use ProxyShell-planted web shells for initial access:
LockFile ransomware used ProxyShell for access followed by PetitPotam exploitation for lateral movement. BlackByte ransomware operators were confirmed using ProxyShell in multiple enterprise intrusions. Hive ransomware affiliates used ProxyShell as one of their primary initial access vectors in the second half of 2021. Conti ransomware affiliates incorporated ProxyShell into their playbooks.
The rapid ransomware adoption reflects the high value of Exchange as a target: organizations running on-premises Exchange typically have it in a central network position with access to Active Directory, file shares, and other critical internal resources — making it an ideal pivot point for ransomware lateral movement.
“ProxyShell is a pre-authentication remote code execution exploit chain that allows any unauthenticated attacker to take over Microsoft Exchange. Attackers are actively scanning for and exploiting vulnerable systems.”
— Orange Tsai, Black Hat USA 2021
Patching and Detecting ProxyShell Compromise
Microsoft released patches between April and July 2021. Organizations that applied the May 2021 cumulative updates are protected. The following steps address both patching and post-exploitation detection.
Apply May 2021 or later Exchange cumulative updates
Install the May 2021 or later Cumulative Update for Exchange Server 2013, 2016, and 2019. All three ProxyShell CVEs are addressed in these updates. Run Get-ExchangeDiagnosticInfo to verify the installed build number against Microsoft's patch table.
Search for web shells in Exchange directories
Scan Exchange web directories for unauthorized ASPX files: C:\inetpub\wwwroot\aspnet_client\, C:\Program Files\Microsoft\Exchange Server\V15\FrontEnd\HttpProxy\owa\auth\, and the Exchange Autodiscover directory. Any .aspx file not in the original installation is suspicious.
Search IIS logs for export request cmdlet abuse
Search Exchange IIS logs for POST requests to /autodiscover/autodiscover.json and /mapi/nspi/ with 200 response codes from external source IPs. These paths are characteristic of ProxyShell exploitation. Also audit ECP logs for MailboxExportRequest activity.
Audit PowerShell logs for mailbox export requests
Enable and review Exchange Management Shell logging. Look for New-MailboxExportRequest commands that specify file paths in web-accessible directories rather than standard export paths (network shares or UNC paths).
Perform full compromise assessment before returning to service
ProxyShell web shells were often dormant for weeks before ransomware deployment. Any Exchange server that was unpatched during the August-September 2021 exploitation window and is not confirmed clean should be treated as compromised and assessed before trusting it as a clean system.
The bottom line
ProxyShell is the third in a trilogy of Exchange CAS architecture vulnerabilities discovered by Orange Tsai (after ProxyOracle and ProxyLogon). All three exploited the same fundamental architectural pattern: the Client Access Service's proxy behavior creating a path by which external requests can reach internal Exchange backend services with manipulated or absent authentication.
Microsoft has addressed the individual CVEs in each chain. The architectural root cause — the complexity of Exchange's multi-tier request routing — is not something a single patch cycle resolves. On-premises Exchange continues to present a large, complex attack surface that requires active patching, monitoring, and investigation.
The ProxyShell ransomware wave demonstrated that time from exploit publication to ransomware deployment is now measured in days, not weeks. Any organization running unpatched Exchange when a critical exploit goes public should operate on the assumption of compromise and investigate actively, not wait for symptoms to appear.
Get threat intel before your inbox does.
50,000+ security professionals read Decryption Digest for early warnings on zero-days, ransomware, and nation-state campaigns. Free, weekly, no spam.
Unsubscribe anytime. We never sell your data.
Founder & Cybersecurity Evangelist, Decryption Digest
Cybersecurity professional with expertise in threat intelligence, vulnerability research, and enterprise security. Covers zero-days, ransomware, and nation-state operations for 50,000+ security professionals weekly.