CVE-2021-26855

Vulnerability updated a year ago (2024-11-29T13:38:01.417Z)

Download STIX

Preview STIX

CVE-2021-26855 is a zero-day server-side request forgery (SSRF) vulnerability in Microsoft Exchange servers, particularly versions 2013, 2016, and 2019. This flaw in software design or implementation was exploited by attackers to gain initial access to the email servers and drop an ASPX webshell on the compromised systems. The exploitation of this vulnerability enabled threat actors to execute client-side attacks (T1203), exploit public-facing applications (T1190), and disseminate phishing emails through hijacked email threads obtained from Microsoft ProxyLogon attacks. On December 2, 2022, a significant ransomware attack disrupted email services for thousands of small and medium-sized businesses (SMBs) due to the unpatched ProxyLogOn zero-day vulnerability (CVE-2021-26855). The update had not been applied due to operational concerns. The cybercriminals leveraged the vulnerability to infiltrate the email servers, leading to substantial disruption and data compromise. The incident was investigated by GERT, who confirmed SMB abuse, IKEEXT service exploitation, and the exploitation of the Microsoft Exchange server remote code execution vulnerability. In addition to these disruptions, attackers deployed a novel backdoor called 'Sponsor' onto target systems after obtaining initial access via the known vulnerabilities in the internet-exposed Microsoft Exchange servers. This operation further complicated the security landscape and amplified the potential damage caused by the CVE-2021-26855 vulnerability. In conclusion, the CVE-2021-26855 vulnerability represents a significant risk to organizations using affected versions of Microsoft Exchange servers, highlighting the importance of timely patching and robust cybersecurity measures.

Description last updated: 2024-09-03T16:15:54.629Z

What's your take? (Question 1 of 5)

Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.

Possible Aliases / Cluster overlaps

It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at. Create a free account to see the source evidence for each alias, and help fix any errors.

Alias Description	Votes
Proxylogon is a possible alias for CVE-2021-26855. ProxyLogon is a serious software vulnerability, specifically an exploit chain in Microsoft Exchange Server. The chain includes CVE-2021-26855, a server-side request forgery (SSRF) vulnerability that allows attackers to bypass authentication and impersonate users, along with other vulnerabilities suc	8

Miscellaneous Associations

Other elements of context that could aid in the identification of relevance

Vulnerability

Microsoft

Ransomware

Exploit

Analyst Notes & Discussion

Be the first to leave your mark here! Log in to share your views and vote.

Associated Vulnerabilities

To see the evidence that has resulted in these vulnerability associations, create a free account

Alias Description	Association Type	Votes
The Proxyshell Vulnerability is associated with CVE-2021-26855. ProxyShell is a vulnerability that affects Microsoft Exchange email servers, posing a significant risk to organizations worldwide. This flaw in software design or implementation allows attackers to exploit the system and gain unauthorized access. Since early 2021, Iranian government-sponsored APT ac	Unspecified	3
The vulnerability CVE-2021-26858 is associated with CVE-2021-26855.	Unspecified	2
The vulnerability CVE-2021-27065 is associated with CVE-2021-26855.	Unspecified	2
The vulnerability CVE-2021-26857 is associated with CVE-2021-26855.	Unspecified	2

Source Document References

Information about the CVE-2021-26855 Vulnerability was read from the documents corpus below. This display is limited to 20 results, create a free account to see more

Source Link	CreatedAt	Title
ESET	7 months ago	You will always remember this as the day you finally caught FamousSparrow
Securelist	8 months ago	Head Mare and Twelve: Joint attacks on Russian entities
Securelist	9 months ago	The EAGERBEE backdoor may be related to the CoughingDown actor
InfoSecurity-magazine	a year ago	14 Million Patients Impacted by US Healthcare Data Breaches in 2024
Securelist	a year ago	Most interesting IR cases in 2023: insider threats and more
BankInfoSecurity	a year ago	Active Chinese Cyberespionage Campaign Rifling Email Servers
Unit42	a year ago	Operation Diplomatic Specter: An Active Chinese Cyberespionage Campaign Leverages Rare Tool Set to Target Governmental Entities in the Middle East, Africa and Asia
CERT-EU	2 years ago	Sensor Intel Series: Top CVEs in December 2023
MITRE	2 years ago	Evolving trends in Iranian threat actor activity – MSTIC presentation at CyberWarCon 2021 \| Microsoft Security Blog
MITRE	2 years ago	Ransomware Spotlight: AvosLocker
MITRE	2 years ago	Analyzing Attacker Behavior Post-Exploitation of MS Exchange \| Rapid7 Blog
MITRE	2 years ago	An In-Depth Look at Black Basta Ransomware
CERT-EU	2 years ago	Rackspace Ransomware Costs Soar to Nearly $12M \| #hacking \| #cybersecurity \| #infosec \| #comptia \| #pentest \| #ransomware \| National Cyber Security Consulting
CERT-EU	2 years ago	Over 20,000 vulnerable Microsoft Exchange servers exposed to attacks
CERT-EU	2 years ago	Sensor Intel Series: Top CVEs in October 2023
CERT-EU	2 years ago	Are DarkGate and PikaBot the new QakBot?
DARKReading	2 years ago	Rackspace Ransomware Costs Soar to Nearly $12M
CERT-EU	2 years ago	Gov to create safe harbour for companies under cyber attack
CERT-EU	2 years ago	Sensor Intel Series: Top CVEs in August 2023 \| F5 Labs
CERT-EU	2 years ago	Cyber Security Week in Review: September 15, 2023