CVE-2021-33766
Published: 14 July 2021
Summary
CVE-2021-33766 is a high-severity an unspecified weakness vulnerability in Microsoft Exchange Server. Its CVSS base score is 7.3 (High).
Operationally, ranked in the top 0.1% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog.
The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SC-7 (Boundary Protection).
Deeper analysis
Microsoft Exchange Server contains an information disclosure vulnerability tracked as CVE-2021-33766. The flaw received a CVSS 3.1 score of 7.3 with a vector indicating network attack vector, low attack complexity, no required privileges or user interaction, and limited impacts to confidentiality, integrity, and availability.
An unauthenticated attacker with network access can exploit the issue to obtain sensitive information from the server and achieve limited additional effects on integrity and availability. The vulnerability was publicly disclosed on 14 July 2021.
Microsoft published remediation guidance in its Security Response Center advisory, and the flaw appears in the CISA Known Exploited Vulnerabilities catalog, confirming observed in-the-wild exploitation.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2021-20443
Vulnerability details
Microsoft Exchange Server Information Disclosure Vulnerability
- CWE(s)
- KEV Date Added
- 18 January 2022
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly enforces authentication and authorization checks before allowing any access to Exchange data, blocking the unauthenticated network exploitation path described in CVE-2021-33766.
Restricts and monitors all inbound network traffic to Exchange endpoints, preventing the unauthenticated remote attacker from reaching the vulnerable interfaces.
Requires identification and authentication of all organizational users before granting access to Exchange, eliminating the no-privilege exploitation condition of CVE-2021-33766.