ProxyShell.

ProxyShell is the name for a chain of three Microsoft Exchange Server vulnerabilities demonstrated by researcher Orange Tsai (DEVCORE) at Pwn2Own 2021 and detailed at Black Hat USA. The chain stitches together a pre-authentication path-confusion/SSRF flaw in the Client Access Service's Autodiscover handling (CVE-2021-34473), a privilege-elevation flaw in the Exchange PowerShell backend (CVE-2021-34523), and a post-auth arbitrary file write via the PowerShell export-mailbox feature (CVE-2021-31207).

The exploit works because the Exchange frontend proxies requests to backend endpoints using the powerful NT AUTHORITY\SYSTEM machine context. By smuggling a crafted Autodiscover URL the attacker reaches the PowerShell backend as a privileged user, mints an elevated token, then uses a mailbox export to write a PST file containing a web shell into an internet-reachable directory — turning three "lower-severity" bugs into unauthenticated SYSTEM RCE. Confusingly, CVE-2021-34473 and CVE-2021-34523 were silently fixed in the April 2021 cumulative update before advisories appeared in July, so many admins did not realise they were affected.

Mass scanning and .aspx web-shell deployment began within days of the August 2021 advisories; LockFile and Conti ransomware leveraged it for initial access. Defences: apply the 2021 cumulative updates, enable the Exchange Emergency Mitigation Service, hunt for unexpected web shells, and assume on-prem Exchange compromise predates patching.

flowchart TD
  A[Unauthenticated attacker] --> B[Crafted Autodiscover URL<br/>CVE-2021-34473 path confusion/SSRF]
  B --> C[Frontend proxies to backend<br/>as NT AUTHORITY/SYSTEM]
  C --> D[Reach Exchange PowerShell backend<br/>CVE-2021-34523 privilege elevation]
  D --> E[New-MailboxExportRequest<br/>CVE-2021-31207 arbitrary file write]
  E --> F[Write .aspx web shell<br/>to web-reachable path]
  F --> G[Remote code execution as SYSTEM]
  G --> H[Ransomware / lateral movement]