Cyber Resilience

CVE-2021-34473

CriticalCISA KEVActive ExploitationEUVD ExploitedPublic PoCRansomware-linked

Published: 14 July 2021

Published
14 July 2021
Modified
29 October 2025
KEV Added
03 November 2021
Patch
CVSS Score v3.1 9.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
EPSS Score 1.0000 100.0th percentile
Risk Priority 100 floored blend · peak EPSS

Summary

CVE-2021-34473 is a critical-severity SSRF (CWE-918) vulnerability in Microsoft Exchange Server. Its CVSS base score is 9.1 (Critical).

Operationally, ranked in the top 0.0% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SI-10 (Information Input Validation).

Deeper analysis

Microsoft Exchange Server is affected by a remote code execution vulnerability tracked as CVE-2021-34473 with a CVSS score of 9.1. The flaw is categorized under CWE-918 and permits an unauthenticated attacker to perform server-side request forgery against the product.

An attacker with network access can exploit the issue without authentication or user interaction to obtain high-impact effects on confidentiality and integrity while leaving availability unaffected. Public references explicitly link the vulnerability to the ProxyShell attack chain that chains multiple Exchange flaws for remote code execution.

Microsoft has published official guidance for the vulnerability in its security advisory, along with related details from the Zero Day Initiative. Public exploit artifacts referencing ProxyShell remote code execution have also been posted to repositories such as PacketStorm.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

Microsoft Exchange Server Remote Code Execution Vulnerability

CWE(s)
KEV Date Added
03 November 2021

Related Threats

CVEs Like This One

CVE-2022-41040Same product: Microsoft Exchange Serverboth on KEV
CVE-2021-26855Same product: Microsoft Exchange Serverboth on KEV
CVE-2021-31207Same product: Microsoft Exchange Serverboth on KEV
CVE-2021-27065Same product: Microsoft Exchange Serverboth on KEV
CVE-2021-34523Same product: Microsoft Exchange Serverboth on KEV
CVE-2022-41082Same product: Microsoft Exchange Serverboth on KEV
CVE-2026-42897Same product: Microsoft Exchange Serverboth on KEV
CVE-2025-21177Same vendor: Microsoft
CVE-2026-41091Same vendor: Microsoftboth on KEV
CVE-2025-68645Same product class: email / collaborationboth on KEV

Affected Assets

microsoft
exchange server
2013, 2016, 2019

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Enforces access-control policy on Exchange web interfaces so unauthenticated SSRF requests from ProxyShell cannot reach vulnerable endpoints.

prevent

Requires validation of all input used to construct server-side requests, directly blocking the CWE-918 SSRF vector exploited by CVE-2021-34473.

prevent

Boundary-protection devices can filter or deny the external HTTP requests that initiate the unauthenticated ProxyShell SSRF chain against Exchange.

References