CVE-2021-26855
Published: 03 March 2021
Summary
CVE-2021-26855 is a critical-severity SSRF (CWE-918) vulnerability in Microsoft Exchange Server. Its CVSS base score is 9.1 (Critical).
Operationally, ranked in the top 0.0% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SI-2 (Flaw Remediation).
Deeper analysis
CVE-2021-26855 is a remote code execution vulnerability in Microsoft Exchange Server that stems from server-side request forgery (CWE-918). It carries a CVSS 3.1 score of 9.1 reflecting network attack vector, low complexity, no required privileges or user interaction, and high impact on confidentiality and integrity.
An unauthenticated attacker with network access can exploit the flaw to perform SSRF attacks that lead to arbitrary file writes, unauthenticated email downloads, and remote code execution on affected servers, as demonstrated by multiple public proof-of-concept implementations.
The Microsoft Security Response Center advisory linked in the references provides official guidance on patches and mitigations, while additional technical details and exploit artifacts appear in the listed PacketStorm reports.
The associated EPSS score remains elevated at a current value of 0.9431 with a recorded peak of 0.9754.
OWASP Top 10 for Web (2025)
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2021-13639
Vulnerability details
Microsoft Exchange Server Remote Code Execution Vulnerability
- CWE(s)
- KEV Date Added
- 03 November 2021
Related Threats
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly requires timely installation of patches that remediate the Exchange SSRF/RCE flaw described in the CVE.
Enforces access-control policy on Exchange endpoints so that unauthenticated SSRF requests cannot reach internal resources or achieve file writes.
Boundary-protection mechanisms (firewalls, proxies, allow-lists) can block or restrict the network vectors used for unauthenticated SSRF against Exchange.