Cyber Resilience

CVE-2021-34523

CriticalCISA KEVActive ExploitationEUVD ExploitedPublic PoCRansomware-linked

Published: 14 July 2021

Published
14 July 2021
Modified
30 October 2025
KEV Added
03 November 2021
Patch
CVSS Score v3.1 9.0 CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:N
EPSS Score 0.9999 100.0th percentile
Risk Priority 100 floored blend · peak EPSS

Summary

CVE-2021-34523 is a critical-severity an unspecified weakness vulnerability in Microsoft Exchange Server. Its CVSS base score is 9.0 (Critical).

Operationally, ranked in the top 0.0% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2021-34523 is an elevation of privilege vulnerability affecting Microsoft Exchange Server. It carries a CVSS 3.1 base score of 9.0 under the vector AV:L/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:N and is listed without an associated CWE.

An attacker with local access and no prior privileges or user interaction can exploit the flaw to obtain high-impact effects on confidentiality and integrity, with the impact extending across a security boundary due to the changed scope.

Public references link the issue to Microsoft Security Response Center guidance and Zero Day Initiative advisory ZDI-21-822, along with proof-of-concept material describing its role in ProxyShell remote code execution chains against Exchange deployments.

EU & UK References

Vulnerability details

Microsoft Exchange Server Elevation of Privilege Vulnerability

CWE(s)
KEV Date Added
03 November 2021

Related Threats

CVEs Like This One

CVE-2021-34473Same product: Microsoft Exchange Serverboth on KEV
CVE-2022-41040Same product: Microsoft Exchange Serverboth on KEV
CVE-2021-31207Same product: Microsoft Exchange Serverboth on KEV
CVE-2021-26855Same product: Microsoft Exchange Serverboth on KEV
CVE-2021-27065Same product: Microsoft Exchange Serverboth on KEV
CVE-2022-41082Same product: Microsoft Exchange Serverboth on KEV
CVE-2026-42897Same product: Microsoft Exchange Serverboth on KEV
CVE-2026-41091Same vendor: Microsoftboth on KEV
CVE-2025-68645Same product class: email / collaborationboth on KEV
CVE-2025-24985Same vendor: Microsoftboth on KEV

Affected Assets

microsoft
exchange server
2013, 2016, 2019

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly enforces access-control policies that the EoP flaw bypasses, stopping unauthorized privilege escalation across security boundaries.

prevent

Requires prompt installation of the vendor patch that eliminates the Exchange Server EoP vulnerability exploited in ProxyShell chains.

prevent

Limits privileges assigned to Exchange processes and accounts, reducing the impact even if the local EoP succeeds.

References