CVE-2021-34473
Published: 14 July 2021
Summary
CVE-2021-34473 is a critical-severity SSRF (CWE-918) vulnerability in Microsoft Exchange Server. Its CVSS base score is 9.1 (Critical).
Operationally, ranked in the top 0.0% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SI-10 (Information Input Validation).
Deeper analysis
Microsoft Exchange Server is affected by a remote code execution vulnerability tracked as CVE-2021-34473 with a CVSS score of 9.1. The flaw is categorized under CWE-918 and permits an unauthenticated attacker to perform server-side request forgery against the product.
An attacker with network access can exploit the issue without authentication or user interaction to obtain high-impact effects on confidentiality and integrity while leaving availability unaffected. Public references explicitly link the vulnerability to the ProxyShell attack chain that chains multiple Exchange flaws for remote code execution.
Microsoft has published official guidance for the vulnerability in its security advisory, along with related details from the Zero Day Initiative. Public exploit artifacts referencing ProxyShell remote code execution have also been posted to repositories such as PacketStorm.
OWASP Top 10 for Web (2025)
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2021-21128
Vulnerability details
Microsoft Exchange Server Remote Code Execution Vulnerability
- CWE(s)
- KEV Date Added
- 03 November 2021
Related Threats
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Enforces access-control policy on Exchange web interfaces so unauthenticated SSRF requests from ProxyShell cannot reach vulnerable endpoints.
Requires validation of all input used to construct server-side requests, directly blocking the CWE-918 SSRF vector exploited by CVE-2021-34473.
Boundary-protection devices can filter or deny the external HTTP requests that initiate the unauthenticated ProxyShell SSRF chain against Exchange.