CVE-2021-26857
Published: 03 March 2021
Summary
CVE-2021-26857 is a high-severity Deserialization of Untrusted Data (CWE-502) vulnerability in Microsoft Exchange Server. Its CVSS base score is 7.8 (High).
Operationally, ranked in the top 2.5% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-7 (Software, Firmware, and Information Integrity).
Deeper analysis
Microsoft Exchange Server is affected by a remote code execution vulnerability tracked as CVE-2021-26857 and assigned CWE-502 for deserialization of untrusted data. The flaw carries a CVSS 3.1 score of 7.8 with an attack vector of local access, low complexity, no privileges required, and user interaction needed, resulting in high impact to confidentiality, integrity, and availability.
An attacker who can supply a malicious serialized object to the affected Exchange component can trigger code execution on the server. Because the vector is local and requires user interaction, exploitation typically involves an attacker with the ability to place or induce processing of a crafted file or message on the target system.
Microsoft’s security advisory provides patching guidance, and the vulnerability appears in CISA’s catalog of known exploited vulnerabilities, confirming observed in-the-wild exploitation.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2021-13641
Vulnerability details
Microsoft Exchange Server Remote Code Execution Vulnerability
- CWE(s)
- KEV Date Added
- 03 November 2021
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly blocks deserialization of attacker-supplied untrusted objects by enforcing validation of all input before processing.
Requires integrity verification of software and data to detect or reject malicious serialized payloads before code execution occurs.
Deploys malicious-code detection mechanisms that can identify and block crafted serialized objects used for RCE.