ProxyLogon — Microsoft Exchange Server Server-Side Request Forgery
A server-side request forgery vulnerability in Microsoft Exchange Server allows an unauthenticated attacker to send arbitrary HTTP requests and authenticate as the Exchange server. Chained with three additional Exchange vulnerabilities (CVE-2021-26857, CVE-2021-26858, CVE-2021-27065) it delivers full pre-authentication remote code execution — the "ProxyLogon" chain exploited at mass scale in early 2021.
- Vendor
- Microsoft
- Product
- Exchange Server
- CVSS
- 9.8
- Status
- kev
- Published
CVE-2021-26855 is the first link in the “ProxyLogon” exploit chain against on-premises Microsoft Exchange Server, disclosed on March 2, 2021. On its own, it’s a server-side request forgery bug letting an unauthenticated attacker make Exchange send requests on their behalf and authenticate as the server itself. Chained with a following-stage arbitrary-file-write vulnerability, an attacker could drop a webshell and gain persistent, unauthenticated remote code execution — no credentials needed at any point.
Why it mattered
Microsoft disclosed the chain alongside emergency patches after detecting active, targeted exploitation by a threat group Microsoft named Hafnium, which had been using it against on-premises Exchange servers to exfiltrate mailbox data. Within days of disclosure, exploitation shifted from narrow, targeted espionage to indiscriminate mass scanning and webshell deployment by multiple opportunistic actor groups — tens of thousands of organizations running on-premises Exchange were compromised worldwide before most had even applied the patch, prompting an unusual step: the FBI obtained a court order to remotely remove webshells from privately owned servers that hadn’t been cleaned up.
CISA issued an emergency directive requiring federal agencies to patch or disconnect vulnerable Exchange servers within days rather than the usual weeks. Full technical detail and the complete four-CVE chain are documented in Microsoft’s security response and at the NVD link above.
