Cyber Resilience

CVE-2021-33766

HighCISA KEVActive ExploitationEUVD Exploited

Published: 14 July 2021

Published
14 July 2021
Modified
29 October 2025
KEV Added
18 January 2022
Patch
CVSS Score v3.1 7.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
EPSS Score 0.9375 99.9th percentile
Risk Priority 91 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2021-33766 is a high-severity an unspecified weakness vulnerability in Microsoft Exchange Server. Its CVSS base score is 7.3 (High).

Operationally, ranked in the top 0.1% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SC-7 (Boundary Protection).

Deeper analysis

Microsoft Exchange Server contains an information disclosure vulnerability tracked as CVE-2021-33766. The flaw received a CVSS 3.1 score of 7.3 with a vector indicating network attack vector, low attack complexity, no required privileges or user interaction, and limited impacts to confidentiality, integrity, and availability.

An unauthenticated attacker with network access can exploit the issue to obtain sensitive information from the server and achieve limited additional effects on integrity and availability. The vulnerability was publicly disclosed on 14 July 2021.

Microsoft published remediation guidance in its Security Response Center advisory, and the flaw appears in the CISA Known Exploited Vulnerabilities catalog, confirming observed in-the-wild exploitation.

EU & UK References

Vulnerability details

Microsoft Exchange Server Information Disclosure Vulnerability

CWE(s)
KEV Date Added
18 January 2022

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

microsoft
exchange server
2013, 2016, 2019

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly enforces authentication and authorization checks before allowing any access to Exchange data, blocking the unauthenticated network exploitation path described in CVE-2021-33766.

prevent

Restricts and monitors all inbound network traffic to Exchange endpoints, preventing the unauthenticated remote attacker from reaching the vulnerable interfaces.

prevent

Requires identification and authentication of all organizational users before granting access to Exchange, eliminating the no-privilege exploitation condition of CVE-2021-33766.

References