Cyber Resilience

CVE-2021-26857

HighCISA KEVActive ExploitationEUVD ExploitedRansomware-linked

Published: 03 March 2021

Published
03 March 2021
Modified
18 December 2025
KEV Added
03 November 2021
Patch
CVSS Score v3.1 7.8 CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
EPSS Score 0.4051 97.5th percentile
Risk Priority 60 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2021-26857 is a high-severity Deserialization of Untrusted Data (CWE-502) vulnerability in Microsoft Exchange Server. Its CVSS base score is 7.8 (High).

Operationally, ranked in the top 2.5% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-7 (Software, Firmware, and Information Integrity).

Deeper analysis

Microsoft Exchange Server is affected by a remote code execution vulnerability tracked as CVE-2021-26857 and assigned CWE-502 for deserialization of untrusted data. The flaw carries a CVSS 3.1 score of 7.8 with an attack vector of local access, low complexity, no privileges required, and user interaction needed, resulting in high impact to confidentiality, integrity, and availability.

An attacker who can supply a malicious serialized object to the affected Exchange component can trigger code execution on the server. Because the vector is local and requires user interaction, exploitation typically involves an attacker with the ability to place or induce processing of a crafted file or message on the target system.

Microsoft’s security advisory provides patching guidance, and the vulnerability appears in CISA’s catalog of known exploited vulnerabilities, confirming observed in-the-wild exploitation.

EU & UK References

Vulnerability details

Microsoft Exchange Server Remote Code Execution Vulnerability

CWE(s)
KEV Date Added
03 November 2021

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

microsoft
exchange server
2010, 2013, 2016, 2019

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly blocks deserialization of attacker-supplied untrusted objects by enforcing validation of all input before processing.

preventdetect

Requires integrity verification of software and data to detect or reject malicious serialized payloads before code execution occurs.

preventdetect

Deploys malicious-code detection mechanisms that can identify and block crafted serialized objects used for RCE.

References