CVE-2021-26857

ENISA EUVD: EUVD-2021-13641 ↗

Exploited in the Wild ✓ Confirmed 0-Day ★ Google Project Zero

Triaged: March 3, 2026 13 articles Published: 2021-03-02

VulnLookup ↗ NVD ↗ EUVD ↗ MITRE ↗ Advisory ↗ P0 Sheet ↗ CISA KEV ↗

EPSS Score

Source: FIRST.org · 2026-05-23

44.74%

probability

This CVE has a 44.74% probability of being exploited in the next 30 days.

0% Top 97.6th percentile of all CVEs 100%

CVSS v3.1

Source: VulnerabilityLookup (CIRCL)

7.8

HIGH

Attack Vector

Local

Attack Complexity

Low

Privileges Required

None

User Interaction

Required

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

Temporal

Exploit Code Maturity

Functional

Remediation Level

Official Fix

Report Confidence

Confirmed

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:F/RL:O/RC:C

CVSS v2 (legacy)

6.8

MEDIUM

Access Vector

Network

Access Complexity

Medium

Authentication

None

Confidentiality

Partial

Integrity

Partial

Availability

Partial

AV:N/AC:M/Au:N/C:P/I:P/A:P

Description

NVD

Microsoft Exchange Server Remote Code Execution Vulnerability

Affected Products

Microsoft

Microsoft Exchange Server 2016 Cumulative Update 19

15.01.0

Microsoft

Microsoft Exchange Server 2019 Cumulative Update 8

15.02.0

Microsoft

Microsoft Exchange Server 2019

15.02.0

Microsoft

Microsoft Exchange Server 2013 Cumulative Update 22

15.00.0

Microsoft

Microsoft Exchange Server 2019 Cumulative Update 2

15.02.0

microsoft

exchange server

Microsoft

Microsoft Exchange Server 2013 Cumulative Update 21

15.00.0 <publication

Microsoft

Microsoft Exchange Server 2016 Cumulative Update 18

15.01.0 <publication

Microsoft

Microsoft Exchange Server 2013 Service Pack 1

15.00.0 <publication

Microsoft

Microsoft Exchange Server 2016 Cumulative Update 8

15.01.0 <publication

Microsoft

Microsoft Exchange Server 2016 Cumulative Update 19

15.01.0 <publication

Microsoft

Microsoft Exchange Server 2019 Cumulative Update 5

15.02.0 <publication

Microsoft

Microsoft Exchange Server 2010 Service Pack 3

14.0.0.0 <publication

Microsoft

Microsoft Exchange Server 2013 Cumulative Update 23

15.00.0 <publication

Microsoft

Microsoft Exchange Server 2019 Cumulative Update 2

15.02.0 <publication

Microsoft

Microsoft Exchange Server 2019 Cumulative Update 4

15.02.0 <publication

Microsoft

Microsoft Exchange Server 2016 Cumulative Update 15

15.01.0 <publication

Microsoft

Microsoft Exchange Server 2016 Cumulative Update 12

15.01.0 <publication

Microsoft

Microsoft Exchange Server 2019 Cumulative Update 7

15.02.0 <publication

Microsoft

Microsoft Exchange Server 2019

15.02.0 <publication

Microsoft

Microsoft Exchange Server 2016 Cumulative Update 16

15.01.0 <publication

Microsoft

Microsoft Exchange Server 2019 Cumulative Update 8

15.02.0 <publication

Microsoft

Microsoft Exchange Server 2016 Cumulative Update 10

15.01.0 <publication

Microsoft

Microsoft Exchange Server 2019 Cumulative Update 1

15.02.0 <publication

Microsoft

Microsoft Exchange Server 2013 Cumulative Update 22

15.00.0 <publication

Microsoft

Microsoft Exchange Server 2016 Cumulative Update 11

15.01.0 <publication

Microsoft

Microsoft Exchange Server 2019 Cumulative Update 3

15.02.0 <publication

Microsoft

Microsoft Exchange Server 2016 Cumulative Update 17

15.01.0 <publication

Microsoft

Microsoft Exchange Server 2016 Cumulative Update 9

15.01.0 <publication

Microsoft

Microsoft Exchange Server 2016 Cumulative Update 13

15.01.0 <publication

Microsoft

Microsoft Exchange Server 2016 Cumulative Update 14

15.01.0 <publication

Microsoft

Microsoft Exchange Server 2019 Cumulative Update 6

15.02.0 <publication

Attack Intelligence

CWE-502 · Deserialization of Untrusted Data CWE-664 · Improper Control of a Resource Through its Lifetime CWE-913 · Improper Control of Dynamically-Managed Code Resources

Google Project Zero

Patched

March 2, 2021

Reported by

Dubex and Microsoft Threat Intelligence Center (MSTIC)

Root Cause Analysis

???

Exploits & PoC

sirpedrotavares/Proxylogon-exploit

proxylogon exploit - CVE-2021-26857

110 2021-03-11

1 repo — triés par ⭐ Rechercher sur GitHub ↗

https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-26857

x_refsource_MISC

Signal Intelligence

Confidenceⓘ

92%

EPSS 44.74%

CVSS v3.1 7.8

Mentions 13

Last Seen Oct 07, 2022

CNA Information

CNA Assigner

microsoft

CNA Title

Microsoft Exchange Server Remote Code Execution Vulnerability

Analyst Note

CVE-2021-26857 is a confirmed remote code execution vulnerability in Microsoft Exchange Server with a HIGH CVSS score (7.8), inclusion in Google Project Zero research, and validation through CERT-EU security advisory. The zero-day nature and official vendor acknowledgment strongly support the confirmed classification.