ProxyShell Flaw in Microsoft Exchange Enabled Unauthenticated RCE
A critical Microsoft Exchange Server flaw, CVE-2021-34473, enabled unauthenticated attackers to reach privileged backend services through improper URI validation and URL normalization in the Client Access Service and autodiscover functionality. The bug is the first stage of the ProxyShell attack chain and has been widely tied to in-the-wild exploitation, with affected builds including Exchange Server 2013 CU23, Exchange Server 2016 CU19 and CU20, and Exchange Server 2019 CU8 and CU9.
Attackers have used the issue to bypass authentication, access Exchange PowerShell, read mailboxes, deploy webshells, exfiltrate email, and move laterally, especially when chaining it with CVE-2021-34523 and CVE-2021-31207 for full compromise. Public exploitation resources, including GitHub tooling and scanning templates, lowered the barrier to abuse, while defenders were urged to apply Microsoft's security updates, hunt for webshell indicators and suspicious autodiscover requests, monitor for PowerShell launched by w3wp.exe, and reduce external exposure of Exchange services.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
5 events from the most recent confirmed update back to the earliest known activity.
CISA adds CVE-2021-34473 to the Known Exploited Vulnerabilities Catalog
The SentinelOne reference says CVE-2021-34473 is included in CISA's Known Exploited Vulnerabilities Catalog, reflecting official recognition of exploitation risk.
CVE-2021-34473 is actively exploited in the wild
Source content states that CVE-2021-34473, part of the ProxyShell attack chain, has been actively exploited in real-world attacks against Microsoft Exchange Server.
Microsoft security updates are recommended for CVE-2021-34473
The source content recommends applying Microsoft's security updates for CVE-2021-34473 to mitigate the Exchange Server vulnerability that underpins the ProxyShell chain.
Public ProxyShell exploitation tooling and scanning templates appear
The GitHub reference describes publicly available exploitation resources for ProxyShell, including Python scripts and a Nuclei scanning template, indicating technical details and tooling were released publicly.
Orange Tsai discovers the ProxyShell vulnerability chain at Pwn2Own
The ProxyShell set of Microsoft Exchange vulnerabilities, centered on CVE-2021-34473 and chainable with CVE-2021-34523 and CVE-2021-31207, is attributed in the source content to Orange Tsai at Pwn2Own.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
2 references tracked. Mallory keeps watching after this page renders.
See the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
ProxyShell Exploitation Chain Enabled RCE on Microsoft Exchange Servers
Researchers detailed **ProxyShell**, a chain of Microsoft Exchange vulnerabilities that can be combined to bypass authentication, escalate privileges, and achieve remote code execution on exposed Exchange servers. Orange Tsai described the attack surface and showed how flaws including `CVE-2021-34473`, `CVE-2021-34523`, and `CVE-2021-31207` could be chained to reach backend Exchange services and execute attacker-controlled code without valid credentials. Mandiant later reported real-world exploitation of ProxyShell against internet-facing Exchange environments, showing that attackers used the chain to gain shells on compromised servers and establish persistent access. The reporting underscores that unpatched on-premises Exchange systems remained a high-value target because successful exploitation could hand attackers direct control of email infrastructure, enable follow-on intrusion activity, and expose sensitive enterprise communications.
May 25, 2026
Microsoft Exchange Server Flaws Enabled Spoofing, Security Bypass, and SYSTEM-Level Access
Microsoft disclosed multiple vulnerabilities in on-premises **Exchange Server**, including **CVE-2021-31207** (security feature bypass), **CVE-2021-31209** (spoofing), and **CVE-2022-41040** (elevation of privilege). The issues affected Exchange deployments rather than **Exchange Online**, extending a pattern of high-impact weaknesses in the mail platform that could undermine trust boundaries, enable impersonation, and weaken built-in protections. Among them, **CVE-2022-41040** was rated **Critical** with a **CVSS 3.1 score of 8.8**, and Microsoft said exploitation had been detected in the wild before public disclosure. The flaw required an authenticated attacker with low privileges and no user interaction, and successful exploitation could allow the attacker to run **PowerShell** as **`SYSTEM`**. Microsoft later released security updates and directed Exchange Server customers to apply mitigations and patches for the reported zero-day issues.
May 25, 2026
Active Exploitation of Microsoft Exchange Server XSS Flaw via Crafted Email
Microsoft disclosed **CVE-2026-42897**, a high-severity spoofing vulnerability in on-premises **Microsoft Exchange Server** that is being actively exploited in the wild. The flaw stems from improper neutralization of input during web page generation and can be triggered when a user opens a specially crafted email in **Outlook Web Access**, leading to cross-site scripting and arbitrary JavaScript execution in the victim’s browser context. Affected products include **Exchange Server 2016**, **Exchange Server 2019**, and **Exchange Server Subscription Edition**; **Exchange Online** is not affected. Microsoft has not yet released a permanent patch for `CVE-2026-42897`, but said it is automatically deploying a temporary mitigation through the **Exchange Emergency Mitigation Service**, which applies a URL rewrite configuration and is enabled by default. For air-gapped or disconnected environments, the company directed administrators to use the **Exchange on-premises Mitigation Tool**, while noting a cosmetic issue may affect mitigation status reporting. Microsoft also published the vulnerability in its Security Update Guide alongside other advisories, including **CVE-2026-41615** for Microsoft Authenticator.
May 19, 2026