Cyber Resilience

CVE-2021-26855

CriticalCISA KEVActive ExploitationEUVD ExploitedPublic PoCRansomware-linked

Published: 03 March 2021

Published
03 March 2021
Modified
18 December 2025
KEV Added
03 November 2021
Patch
CVSS Score v3.1 9.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
EPSS Score 1.0000 100.0th percentile
Risk Priority 100 floored blend · peak EPSS

Summary

CVE-2021-26855 is a critical-severity SSRF (CWE-918) vulnerability in Microsoft Exchange Server. Its CVSS base score is 9.1 (Critical).

Operationally, ranked in the top 0.0% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2021-26855 is a remote code execution vulnerability in Microsoft Exchange Server that stems from server-side request forgery (CWE-918). It carries a CVSS 3.1 score of 9.1 reflecting network attack vector, low complexity, no required privileges or user interaction, and high impact on confidentiality and integrity.

An unauthenticated attacker with network access can exploit the flaw to perform SSRF attacks that lead to arbitrary file writes, unauthenticated email downloads, and remote code execution on affected servers, as demonstrated by multiple public proof-of-concept implementations.

The Microsoft Security Response Center advisory linked in the references provides official guidance on patches and mitigations, while additional technical details and exploit artifacts appear in the listed PacketStorm reports.

The associated EPSS score remains elevated at a current value of 0.9431 with a recorded peak of 0.9754.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

Microsoft Exchange Server Remote Code Execution Vulnerability

CWE(s)
KEV Date Added
03 November 2021

Related Threats

CVEs Like This One

CVE-2021-34473Same product: Microsoft Exchange Serverboth on KEV
CVE-2022-41040Same product: Microsoft Exchange Serverboth on KEV
CVE-2021-31207Same product: Microsoft Exchange Serverboth on KEV
CVE-2021-27065Same product: Microsoft Exchange Serverboth on KEV
CVE-2021-34523Same product: Microsoft Exchange Serverboth on KEV
CVE-2022-41082Same product: Microsoft Exchange Serverboth on KEV
CVE-2026-42897Same product: Microsoft Exchange Serverboth on KEV
CVE-2025-21177Same vendor: Microsoft
CVE-2026-41091Same vendor: Microsoftboth on KEV
CVE-2025-68645Same product class: email / collaborationboth on KEV

Affected Assets

microsoft
exchange server
2013, 2016, 2019

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires timely installation of patches that remediate the Exchange SSRF/RCE flaw described in the CVE.

prevent

Enforces access-control policy on Exchange endpoints so that unauthenticated SSRF requests cannot reach internal resources or achieve file writes.

prevent

Boundary-protection mechanisms (firewalls, proxies, allow-lists) can block or restrict the network vectors used for unauthenticated SSRF against Exchange.

References