CVE-2021-31207
Published: 11 May 2021
Summary
CVE-2021-31207 is a medium-severity Unrestricted Upload of File with Dangerous Type (CWE-434) vulnerability in Microsoft Exchange Server. Its CVSS base score is 6.6 (Medium).
Operationally, ranked in the top 0.0% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and CM-7 (Least Functionality).
Deeper analysis
CVE-2021-31207 is a security feature bypass vulnerability affecting Microsoft Exchange Server and tracked under CWE-434 for unrestricted upload of files with dangerous types. It carries a CVSS 3.1 score of 6.6 with a vector indicating network attack vector, high attack complexity, and high privileges required.
An attacker who can reach the server over the network and satisfies the high complexity precondition may bypass security controls to achieve high impact on confidentiality, integrity, and availability. Public references associate the issue with the ProxyShell remote code execution chain.
Microsoft Security Response Center advisory CVE-2021-31207 and the corresponding Zero Day Initiative advisory ZDI-21-819 describe the vulnerability and outline available patches or configuration guidance for affected Exchange deployments.
OWASP Top 10 for Web (2025)
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2021-18120
Vulnerability details
Microsoft Exchange Server Security Feature Bypass Vulnerability
- CWE(s)
- KEV Date Added
- 03 November 2021
Related Threats
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly counters CWE-434 unrestricted file upload by enforcing validation of file types and content before Exchange accepts them.
Limits upload and execution functionality on Exchange servers so that dangerous file types cannot be processed even if a bypass is attempted.
Provides malicious-code scanning and blocking at the point of file receipt, mitigating the ProxyShell-style upload that leads to RCE.