Security Advisory 2021-056

Release Date:

Critical Vulnerability in Microsoft Exchange Server



  • 20/10/2021 --- v1.0 -- Initial publication


On October 12, Microsoft released in the monthly Patch Tuesday a new batch of patches fixing several vulnerabilities, one of which could lead to remote code execution on certain versions of Microsoft Exchange servers [1]. The vulnerability, identified as CVE-2021-26427, has a CVSS3 score of 9 out of 10 and could allow an attacker to execute remote code on on-premise exchange servers [2]. According to Microsoft, the attack vector for this vulnerability is adjacent, which means that the attacker needs to be in the same local network as the server to be able to exploit it.

No active exploitation of this vulnerability is known yet.

Technical Details

There is not much detail available about how the vulnerability CVE-2021-26427 could be exploited. Microsoft stated that the CVE-2021-26427 is only exploitable from the same shared physical (e.g., Bluetooth or IEEE 802.11) or logical (e.g., local IP subnet) network, and it requires basic user privileges [2].

Affected Products

  • Microsoft Exchange Server 2019 Cumulative Update 10
  • Microsoft Exchange Server 2016 Cumulative Update 21
  • Microsoft Exchange Server 2013 Cumulative Update 23
  • Microsoft Exchange Server 2019 Cumulative Update 11
  • Microsoft Exchange Server 2016 Cumulative Update 22

To be exploitable, Microsoft Exchange Servers have to be on-premise versions of Microsoft Exchange Server. Microsoft Exchange Online is not affected by these flaws.


Applying the update released on October 12 to Exchange servers [2] is currently the only mitigation for this vulnerability.





We got cookies

We only use cookies that are necessary for the technical functioning of our website. Find out more on here.