CVE-2021-42321

Exploited in the Wild ✓ Confirmed 0-Day ★ Google Project Zero

Triaged: March 3, 2026 6 articles

VulnLookup ↗ NVD ↗ MITRE ↗ Advisory ↗ P0 Sheet ↗ CISA KEV ↗

EPSS Score

Source: FIRST.org · 2026-05-24

93.62%

probability

This CVE has a 93.62% probability of being exploited in the next 30 days.

0% Top 99.8th percentile of all CVEs 100%

CVSS score unavailable

Neither CIRCL nor NVD returned a CVSS score for this CVE. View on VulnerabilityLookup ↗

Description

Project Zero

Remote code execution

Google Project Zero

Patched

Nov. 9, 2021

Reported by

Microsoft Security Response Center, Microsoft Threat Intelligence Center (MSTIC), Yuhao Weng with Sangfor, and 漏洞研究院青训队 with Tianfu

Root Cause Analysis

???

Exploits & PoC

DarkSprings/CVE-2021-42321

Microsoft Exchange Server Poc

1 repo — triés par ⭐ Rechercher sur GitHub ↗

Microsoft patches Excel zero-day used in attacks, asks Mac users to wait

BleepingComputer Nov 10, 2021

Microsoft & Adobe Patch Tuesday (November 2021) – Microsoft 55 Vulnerabilities with 6 Critical, 6 Zero-Days. Adobe 4 Vulnerabilities

Qualys Nov 11, 2021

Defense Lessons From the Black Basta Ransomware Playbook

Qualys Feb 25, 2025

Microsoft November 2021 Patch Tuesday fixes 6 zero-days, 55 flaws

BleepingComputer Nov 09, 2021

Microsoft Warns of Uptick in Hackers Leveraging Publicly-Disclosed 0-Day Vulnerabilities

TheHackerNews

Security Advisory 2021-063

CERT-EU Nov 10, 2021

Signal Intelligence

Confidenceⓘ

85%

EPSS 93.62%

Mentions 6

Last Seen Feb 25, 2025

CNA Information

Analyst Note

CVE-2021-42321 is confirmed as a legitimate remote code execution vulnerability in Microsoft Exchange Server 2016 with high severity (CVSS 8.8) and has been independently documented by CERT-EU. While not yet listed in CISA KEV, the presence in Google Project Zero and official security advisory corroborate the vulnerability's authenticity and exploitability.