Detections
Analytics

CVE-2021-34473

critical

Description

Microsoft Exchange Server Remote Code Execution Vulnerability

From the Tenable Blog

ProxyShell: Attackers Actively Scanning for Vulnerable Microsoft Exchange Servers (CVE-2021-34473)
ProxyShell: Attackers Actively Scanning for Vulnerable Microsoft Exchange Servers (CVE-2021-34473)

Published: 2021-08-09

Three vulnerabilities from DEVCORE researcher Orange Tsai could be chained to achieve unauthenticated remote code execution. Attackers are searching for vulnerable instances to exploit. Update August 23: The Analysis section has been updated with information about exploitation of this vulnerability chain. Organizations should update immediately.

References

https://www.zerodayinitiative.com/advisories/ZDI-21-821/

https://thehackernews.com/2025/06/hackers-target-65-microsoft-exchange.html

https://securelist.com/vulnerabilities-and-exploits-in-q4-2024/115761/

https://www.securityweek.com/cisa-fbi-warn-of-china-linked-ghost-ransomware-attacks/

https://www.cisa.gov/news-events/cybersecurity-advisories/aa25-050a

https://www.bleepingcomputer.com/news/security/cisa-and-fbi-ghost-ransomware-breached-orgs-in-70-countries/

https://www.helpnetsecurity.com/2025/02/13/sandworm-apts-initial-access-subgroup-hits-organizations-accross-the-globe/

https://hackread.com/microsoft-badpilot-campaign-seashell-blizzard-usa-uk/

https://www.theregister.com/2025/02/12/russias_sandworm_caught_stealing_credentials/

https://www.securityweek.com/russian-seashell-blizzard-hackers-gain-maintain-access-to-high-value-targets-microsoft/

https://www.microsoft.com/en-us/security/blog/2025/02/12/the-badpilot-campaign-seashell-blizzard-subgroup-conducts-multiyear-global-access-operation/

https://www.darkreading.com/threat-intelligence/microsoft-russian-sandworm-apt-exploits-edge-bugs-globally

https://www.bleepingcomputer.com/news/security/badpilot-network-hacking-campaign-fuels-russian-sandworm-attacks/

https://therecord.media/sandworm-subgroup-russia-europe

https://thehackernews.com/2025/02/microsoft-uncovers-sandworm-subgroups.html

https://securelist.com/exploits-and-vulnerabilities-q3-2024/114839/

https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-136a

https://therecord.media/fbi-says-bianlian-based-in-russia-switching-tactics

https://www.cisa.gov/news-events/cybersecurity-advisories/aa24-317a

https://securelist.com/new-tropic-trooper-web-shell-infection/113737/

https://www.wsj.com/politics/national-security/u-s-allies-issue-rare-warning-on-chinese-hacking-group-9eebb0ce

https://www.cisa.gov/news-events/cybersecurity-advisories/aa24-190a

https://unit42.paloaltonetworks.com/operation-diplomatic-specter/

https://thehackernews.com/2024/05/ms-exchange-server-flaws-exploited-to.html

https://securelist.com/vulnerability-report-q1-2024/112554/

https://www.microsoft.com/en-us/security/blog/2023/03/24/guidance-for-investigating-attacks-using-cve-2023-23397/

https://research.nccgroup.com/2023/11/20/is-this-the-real-life-is-this-just-fantasy-caught-in-a-landslide-noescape-from-ncc-group/

https://www.zscaler.com/blogs/security-research/retrospective-avoslocker

https://cyware.com/resources/research-and-analysis/beneath-the-surface-avoslockers-ransomware-as-a-service-and-cybercrime-tactics-f14f

https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-215a

https://www.tenable.com/cyber-exposure/tenable-2022-threat-landscape-report

https://duo.com/decipher/hive-ransomware-attacks-target-fortios-microsoft-exchange-flaws

https://www.tenable.com/cyber-exposure/a-look-inside-the-ransomware-ecosystem

https://unit42.paloaltonetworks.com/lockbit-2-ransomware/

https://www.cisa.gov/news-events/cybersecurity-advisories/aa22-117a

https://www.tenable.com/cyber-exposure/2021-threat-landscape-retrospective

https://www.microsoft.com/en-us/security/blog/2021/12/11/guidance-for-preventing-detecting-and-hunting-for-cve-2021-44228-log4j-2-exploitation/

https://www.cisa.gov/sites/default/files/publications/AA21-321A-Iranian%20Government-Sponsored%20APT%20Actors%20Exploiting%20Microsoft%20Exchange%20and%20Fortinet%20Vulnerabilities.pdf

https://www.securityweek.com/babuk-ransomware-seen-exploiting-proxyshell-vulnerabilities/

https://web.archive.org/web/20211025233339/https://twitter.com/pancak3lullz/status/1452679527197560837

https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/lockfile-ransomware-new-petitpotam-windows

https://www.fortiguard.com/threat-signal-report/4121/brand-new-lockfile-ransomware-distributed-through-proxyshell-and-petitpotam

https://www.zerodayinitiative.com/blog/2024/9/4/exploiting-exchange-powershell-after-proxynotshell-part-1-multivaluedproperty

https://www.tenable.com/blog/microsofts-feb-2024-patch-tuesday-cve-2024-21351-cve-2024-21412

https://www.tenable.com/blog/aa23-215a-2022s-top-routinely-exploited-vulnerabilities

https://www.tenable.com/blog/proxynotshell-owassrf-tabshell-patch-your-microsoft-exchange-servers-now

https://www.tenable.com/blog/aa22-257a-cybersecurity-joint-advisory-on-iranian-islamic-revolutionary-guard-ransomware

https://www.tenable.com/blog/proxyshell-attackers-actively-scanning-for-vulnerable-microsoft-exchange-servers-cve-2021-34473

https://www.tenable.com/blog/microsoft-s-july-2021-patch-tuesday-includes-116-cves-cve-2021-31979-cve-2021-33771

https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-34473

http://packetstormsecurity.com/files/163895/Microsoft-Exchange-ProxyShell-Remote-Code-Execution.html

Details

Source: Mitre, NVD

Published: 2021-07-14

Updated: 2025-02-24

Named Vulnerability: ProxyShellKnown Exploited Vulnerability (KEV)

Risk Information

CVSS v2

Base Score: 10

Vector: CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C

Severity: Critical

CVSS v3

Base Score: 9.8

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Severity: Critical

EPSS

EPSS: 0.94226