ProxyLogon (CVE-2021-26855)
What is ProxyLogon (CVE-2021-26855)?
ProxyLogon (CVE-2021-26855)A 2021 server-side request forgery in Microsoft Exchange Server that, chained with three other CVEs, allowed unauthenticated attackers to take over on-prem Exchange.
ProxyLogon (CVE-2021-26855) is a pre-authentication SSRF in Microsoft Exchange Server that lets an attacker send arbitrary HTTP requests as the Exchange server. Chained with CVE-2021-26857, CVE-2021-26858 and CVE-2021-27065, attackers achieved unauthenticated remote code execution on on-premises Exchange and planted web shells on tens of thousands of mailboxes worldwide in early 2021. Microsoft attributed initial exploitation to the HAFNIUM group; mass exploitation by multiple actors followed within days of the March 2021 emergency patch. Defences: apply the March 2021 security updates (and later cumulative updates), run the Microsoft Safety Scanner and HAFNIUM IOC scripts, and migrate where possible to Exchange Online.
● Examples
- 01
HAFNIUM exploiting ProxyLogon to install China Chopper web shells across thousands of Exchange servers.
- 02
Cryptojacking groups dropping XMRig miners on Exchange hosts compromised via ProxyLogon.
● Frequently asked questions
What is ProxyLogon (CVE-2021-26855)?
A 2021 server-side request forgery in Microsoft Exchange Server that, chained with three other CVEs, allowed unauthenticated attackers to take over on-prem Exchange. It belongs to the Vulnerabilities category of cybersecurity.
What does ProxyLogon (CVE-2021-26855) mean?
A 2021 server-side request forgery in Microsoft Exchange Server that, chained with three other CVEs, allowed unauthenticated attackers to take over on-prem Exchange.
How do you defend against ProxyLogon (CVE-2021-26855)?
Defences for ProxyLogon (CVE-2021-26855) typically combine technical controls and operational practices, as detailed in the full definition above.
What are other names for ProxyLogon (CVE-2021-26855)?
Common alternative names include: CVE-2021-26855, Exchange SSRF chain.