CVE-2021-26855

Vulnerability updated a month ago (2024-11-29T13:38:01.417Z)

Download STIX

Preview STIX

CVE-2021-26855 is a zero-day server-side request forgery (SSRF) vulnerability in Microsoft Exchange servers, particularly versions 2013, 2016, and 2019. This flaw in software design or implementation was exploited by attackers to gain initial access to the email servers and drop an ASPX webshell on the compromised systems. The exploitation of this vulnerability enabled threat actors to execute client-side attacks (T1203), exploit public-facing applications (T1190), and disseminate phishing emails through hijacked email threads obtained from Microsoft ProxyLogon attacks. On December 2, 2022, a significant ransomware attack disrupted email services for thousands of small and medium-sized businesses (SMBs) due to the unpatched ProxyLogOn zero-day vulnerability (CVE-2021-26855). The update had not been applied due to operational concerns. The cybercriminals leveraged the vulnerability to infiltrate the email servers, leading to substantial disruption and data compromise. The incident was investigated by GERT, who confirmed SMB abuse, IKEEXT service exploitation, and the exploitation of the Microsoft Exchange server remote code execution vulnerability. In addition to these disruptions, attackers deployed a novel backdoor called 'Sponsor' onto target systems after obtaining initial access via the known vulnerabilities in the internet-exposed Microsoft Exchange servers. This operation further complicated the security landscape and amplified the potential damage caused by the CVE-2021-26855 vulnerability. In conclusion, the CVE-2021-26855 vulnerability represents a significant risk to organizations using affected versions of Microsoft Exchange servers, highlighting the importance of timely patching and robust cybersecurity measures.

Description last updated: 2024-09-03T16:15:54.629Z

What's your take? (Question 1 of 5)

Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.

Possible Aliases / Cluster overlaps

It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at. Create a free account to see the source evidence for each alias, and help fix any errors.

Alias Description	Votes
Proxylogon is a possible alias for CVE-2021-26855. ProxyLogon is a serious software vulnerability, specifically an exploit chain in Microsoft Exchange Server. The chain includes CVE-2021-26855, a server-side request forgery (SSRF) vulnerability that allows attackers to bypass authentication and impersonate users, along with other vulnerabilities suc	6

Miscellaneous Associations

Other elements of context that could aid in the identification of relevance

Microsoft

Ransomware

Exploit

Vulnerability

Analyst Notes & Discussion

Be the first to leave your mark here! Log in to share your views and vote.

Associated Vulnerabilities

To see the evidence that has resulted in these vulnerability associations, create a free account

Alias Description	Association Type	Votes
The Proxyshell Vulnerability is associated with CVE-2021-26855. ProxyShell is a vulnerability that affects Microsoft Exchange email servers, posing a significant risk to organizations worldwide. This flaw in software design or implementation allows attackers to exploit the system and gain unauthorized access. Since early 2021, Iranian government-sponsored APT ac	Unspecified	3
The vulnerability CVE-2021-26857 is associated with CVE-2021-26855.	Unspecified	2
The vulnerability CVE-2021-26858 is associated with CVE-2021-26855.	Unspecified	2
The vulnerability CVE-2021-27065 is associated with CVE-2021-26855.	Unspecified	2

Source Document References

Information about the CVE-2021-26855 Vulnerability was read from the documents corpus below. This display is limited to 20 results, create a free account to see more

Source Link	CreatedAt	Title
InfoSecurity-magazine	3 months ago	14 Million Patients Impacted by US Healthcare Data Breaches in 2024
Securelist	4 months ago	Most interesting IR cases in 2023: insider threats and more
BankInfoSecurity	7 months ago	Active Chinese Cyberespionage Campaign Rifling Email Servers
Unit42	7 months ago	Operation Diplomatic Specter: An Active Chinese Cyberespionage Campaign Leverages Rare Tool Set to Target Governmental Entities in the Middle East, Africa and Asia
CERT-EU	10 months ago	Sensor Intel Series: Top CVEs in December 2023
MITRE	a year ago	Evolving trends in Iranian threat actor activity – MSTIC presentation at CyberWarCon 2021 \| Microsoft Security Blog
MITRE	a year ago	Ransomware Spotlight: AvosLocker
MITRE	a year ago	Analyzing Attacker Behavior Post-Exploitation of MS Exchange \| Rapid7 Blog
MITRE	a year ago	An In-Depth Look at Black Basta Ransomware
CERT-EU	a year ago	Rackspace Ransomware Costs Soar to Nearly $12M \| #hacking \| #cybersecurity \| #infosec \| #comptia \| #pentest \| #ransomware \| National Cyber Security Consulting
CERT-EU	a year ago	Over 20,000 vulnerable Microsoft Exchange servers exposed to attacks
CERT-EU	a year ago	Sensor Intel Series: Top CVEs in October 2023
CERT-EU	a year ago	Are DarkGate and PikaBot the new QakBot?
DARKReading	a year ago	Rackspace Ransomware Costs Soar to Nearly $12M
CERT-EU	a year ago	Gov to create safe harbour for companies under cyber attack
CERT-EU	a year ago	Sensor Intel Series: Top CVEs in August 2023 \| F5 Labs
CERT-EU	a year ago	Cyber Security Week in Review: September 15, 2023
ESET	a year ago	Sponsor with batch-filed whiskers: Ballistic Bobcat’s scan and strike backdoor
BankInfoSecurity	a year ago	Iranian Hackers 'Ballistic Bobcat' Deploy New Backdoor
CERT-EU	a year ago	‘Scan-and-exploit’ campaign snares unpatched Exchange servers