Skip to main content
Microsoft Exchange Server Remote Code Execution Vulnerability (CVE-2021-42321)

A post-authentication remote code execution (RCE) vulnerability in Exchange Server has been released by Microsoft. This vulnerability can be exploited by an authenticated attacker to gain control over an affected system.

Report a cyber attack: call 0300 303 5222 or email carecert@nhsdigital.nhs.uk

Summary

A post-authentication remote code execution (RCE) vulnerability in Exchange Server has been released by Microsoft. This vulnerability can be exploited by an authenticated attacker to gain control over an affected system.


Threat details

Introduction

Microsoft has released details of a post-authentication remote code execution (RCE) vulnerability, tracked as CVE-2021-42321, affecting Microsoft Exchange Server. A remote authenticated attacker could exploit this vulnerability to execute code on a vulnerable Exchange server. 

Exploitation in the wild

Microsoft is aware of limited targeted attacks.

Vulnerability details

The vulnerability was discovered in the Tianfu Cup, a Chinese hacking competition, which took place in October 2021. Microsoft released details of the vulnerability as part of their November 2021 Security Updates. At the time of publication, Microsoft has not provided any further details on the cause or mechanics of any of this vulnerability.

Organisations should be aware that the vulnerability affects on-premises Microsoft Exchange Server, including servers used in Exchange Hybrid mode. Exchange Online customers are already protected and do not need to take any action.

Known issues with update

For on-prem Exchange servers running in hybrid mode, there is a known issue that occurs following installation of November 2021 Security Updates in which a URL redirect fails with the "Something went wrong" error. Microsoft are still investigating this issue which results from an incorrectly encoded URL. As a workaround, please go to  https://outlook.office.com/owa/ directly.


Remediation advice

Microsoft has released CVE-2021-42321 and KB5007409 to address this vulnerability in all affected Exchange Server versions. Affected organisations are required to apply updates immediately. There are no known workarounds.

Microsoft has released guidance on how to apply the updates and also recommends making use of their Exchange Server Health Checker and Exchange Update Wizard tools to ensure the correct updates are applied, and that updates are applied successfully.

Organisations may need to update to one of the supported Cumulative Update (CU) before applying the November 2021 Security Updates. The currently supported CUs are as follows:

  • Exchange Server 2019 CU10 or CU11
  • Exchange Server 2016 CU21 or CU22
  • Exchange Server 2013 CU23

If you encounter errors during installation, see the SetupAssist script. If the updates do not work properly, see Repair failed installations of Exchange Cumulative and Security updates.



Last edited: 12 November 2021 1:16 pm