CVE-2021-26855

Vulnerability updated 11 days ago (2024-09-03T16:18:11.227Z)
Download STIX
Preview STIX
CVE-2021-26855 is a zero-day server-side request forgery (SSRF) vulnerability in Microsoft Exchange servers, particularly versions 2013, 2016, and 2019. This flaw in software design or implementation was exploited by attackers to gain initial access to the email servers and drop an ASPX webshell on the compromised systems. The exploitation of this vulnerability enabled threat actors to execute client-side attacks (T1203), exploit public-facing applications (T1190), and disseminate phishing emails through hijacked email threads obtained from Microsoft ProxyLogon attacks. On December 2, 2022, a significant ransomware attack disrupted email services for thousands of small and medium-sized businesses (SMBs) due to the unpatched ProxyLogOn zero-day vulnerability (CVE-2021-26855). The update had not been applied due to operational concerns. The cybercriminals leveraged the vulnerability to infiltrate the email servers, leading to substantial disruption and data compromise. The incident was investigated by GERT, who confirmed SMB abuse, IKEEXT service exploitation, and the exploitation of the Microsoft Exchange server remote code execution vulnerability. In addition to these disruptions, attackers deployed a novel backdoor called 'Sponsor' onto target systems after obtaining initial access via the known vulnerabilities in the internet-exposed Microsoft Exchange servers. This operation further complicated the security landscape and amplified the potential damage caused by the CVE-2021-26855 vulnerability. In conclusion, the CVE-2021-26855 vulnerability represents a significant risk to organizations using affected versions of Microsoft Exchange servers, highlighting the importance of timely patching and robust cybersecurity measures.
Description last updated: 2024-09-03T16:15:54.629Z
What's your take? (Question 1 of 5)
Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.
Possible Aliases / Cluster overlaps
It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at.
IDVotesProfile Description
Proxylogon
5
ProxyLogon is a significant software vulnerability, specifically a server-side request forgery (SSRF) vulnerability in Microsoft Exchange Server. Identified as CVE-2021-26855, it forms part of the ProxyLogon exploit chain and allows attackers to bypass authentication mechanisms and impersonate users
Miscellaneous Associations
Other elements of context that could aid in the identification of relevance
Microsoft
Ransomware
Vulnerability
Exploit
Analyst Notes & Discussion
Be the first to leave your mark here! Log in to share your views and vote.
Associated Vulnerabilities
To see the evidence that has resulted in these vulnerability associations, create a free account
IDTypeVotesProfile Description
CVE-2021-26857Unspecified
2
None
ProxyshellUnspecified
2
ProxyShell is a series of vulnerabilities affecting Microsoft Exchange email servers. These flaws in software design or implementation have been exploited by threat actors to gain unauthorized access and control over targeted systems. The ProxyShell vulnerability, officially tracked as CVE-2021-3447
CVE-2021-26858Unspecified
2
None
CVE-2021-27065Unspecified
2
None
Source Document References
Information about the CVE-2021-26855 Vulnerability was read from the documents corpus below. This display is limited to 20 results, create a free account to see more
PreviewSource LinkCreatedAtTitle
Securelist
11 days ago
Most interesting IR cases in 2023: insider threats and more
BankInfoSecurity
4 months ago
Active Chinese Cyberespionage Campaign Rifling Email Servers
Unit42
4 months ago
Operation Diplomatic Specter: An Active Chinese Cyberespionage Campaign Leverages Rare Tool Set to Target Governmental Entities in the Middle East, Africa and Asia
CERT-EU
7 months ago
Sensor Intel Series: Top CVEs in December 2023
MITRE
9 months ago
Evolving trends in Iranian threat actor activity – MSTIC presentation at CyberWarCon 2021 | Microsoft Security Blog
MITRE
9 months ago
Ransomware Spotlight: AvosLocker
MITRE
9 months ago
Analyzing Attacker Behavior Post-Exploitation of MS Exchange | Rapid7 Blog
MITRE
9 months ago
An In-Depth Look at Black Basta Ransomware
CERT-EU
9 months ago
Rackspace Ransomware Costs Soar to Nearly $12M | #hacking | #cybersecurity | #infosec | #comptia | #pentest | #ransomware | National Cyber Security Consulting
CERT-EU
9 months ago
Over 20,000 vulnerable Microsoft Exchange servers exposed to attacks
CERT-EU
10 months ago
Sensor Intel Series: Top CVEs in October 2023
CERT-EU
10 months ago
Are DarkGate and PikaBot the new QakBot?
DARKReading
10 months ago
Rackspace Ransomware Costs Soar to Nearly $12M
CERT-EU
10 months ago
Gov to create safe harbour for companies under cyber attack
CERT-EU
a year ago
Sensor Intel Series: Top CVEs in August 2023 | F5 Labs
CERT-EU
a year ago
Cyber Security Week in Review: September 15, 2023
ESET
a year ago
Sponsor with batch-filed whiskers: Ballistic Bobcat’s scan and strike backdoor
BankInfoSecurity
a year ago
Iranian Hackers 'Ballistic Bobcat' Deploy New Backdoor
CERT-EU
a year ago
‘Scan-and-exploit’ campaign snares unpatched Exchange servers
CERT-EU
a year ago
Iranian hackers target orgs in Brazil, Israel, and OAE with new Sponsor backdoor