ProxyShell Exploitation Chain Enabled RCE on Microsoft Exchange Servers
Researchers detailed ProxyShell, a chain of Microsoft Exchange vulnerabilities that can be combined to bypass authentication, escalate privileges, and achieve remote code execution on exposed Exchange servers. Orange Tsai described the attack surface and showed how flaws including CVE-2021-34473, CVE-2021-34523, and CVE-2021-31207 could be chained to reach backend Exchange services and execute attacker-controlled code without valid credentials.
Mandiant later reported real-world exploitation of ProxyShell against internet-facing Exchange environments, showing that attackers used the chain to gain shells on compromised servers and establish persistent access. The reporting underscores that unpatched on-premises Exchange systems remained a high-value target because successful exploitation could hand attackers direct control of email infrastructure, enable follow-on intrusion activity, and expose sensitive enterprise communications.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
2 events from the most recent confirmed update back to the earliest known activity.
Mandiant publishes analysis of ProxyShell exploitation on Exchange servers
Mandiant published a blog post titled "PST, Want a Shell? ProxyShell Exploiting Microsoft Exchange Servers," providing analysis of real-world exploitation of Microsoft Exchange servers via ProxyShell. The post represents a later technical reporting milestone on how the attack chain was being used in the wild.
Orange Tsai discloses ProxyShell attack chain for Microsoft Exchange
Orange Tsai published Part 3 of his Exchange research detailing the ProxyShell attack surface and exploitation chain against Microsoft Exchange servers. The disclosure publicly documented the technique and helped define the vulnerability set later tracked as ProxyShell.
Sources
2 references tracked. Mallory keeps watching after this page renders.
See the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
ProxyShell Flaw in Microsoft Exchange Enabled Unauthenticated RCE
A critical Microsoft Exchange Server flaw, **CVE-2021-34473**, enabled unauthenticated attackers to reach privileged backend services through improper URI validation and URL normalization in the Client Access Service and autodiscover functionality. The bug is the first stage of the **ProxyShell** attack chain and has been widely tied to in-the-wild exploitation, with affected builds including Exchange Server 2013 `CU23`, Exchange Server 2016 `CU19` and `CU20`, and Exchange Server 2019 `CU8` and `CU9`. Attackers have used the issue to bypass authentication, access Exchange PowerShell, read mailboxes, deploy webshells, exfiltrate email, and move laterally, especially when chaining it with **CVE-2021-34523** and **CVE-2021-31207** for full compromise. Public exploitation resources, including GitHub tooling and scanning templates, lowered the barrier to abuse, while defenders were urged to apply Microsoft's security updates, hunt for webshell indicators and suspicious autodiscover requests, monitor for PowerShell launched by `w3wp.exe`, and reduce external exposure of Exchange services.
Jun 8, 2026
Mass Exploitation of Microsoft Exchange Flaws Led to Global Email Server Compromises
Attackers exploited multiple zero-day and later related vulnerabilities in on-premises Microsoft Exchange Server to compromise email systems at tens of thousands of organizations worldwide, including government agencies, banks, universities, defense contractors, law firms, healthcare entities, local governments, and small businesses. Microsoft initially attributed the early activity to the China-linked group **Hafnium**, while CISA, the FBI, and the White House warned that exploitation quickly spread to many additional state-backed and criminal actors after patches were released. The intrusions affected Exchange 2010, 2013, 2016, and 2019 deployments rather than Exchange Online or Microsoft 365, and enabled attackers to steal emails and address books, dump credentials, install **web shells** such as **China Chopper**, move laterally, and in some cases deploy follow-on malware including ransomware. U.S. and allied governments later formally attributed the campaign to actors affiliated with China’s Ministry of State Security, as CISA said organizations should investigate for compromise dating back to at least January 2021 and assume identity compromise where exploitation was found. Security researchers and incident responders reported thousands of backdoored servers across more than 100 countries, with many systems still unpatched well after disclosure, and warned that patching alone did not remove implanted persistence. Microsoft and CISA released emergency updates, detection and remediation guidance, and tools including `Test-ProxyLogon.ps1` and `EOMT.ps1`, while later research showed Exchange attack chains such as **ProxyShell** could still be adapted for remote code execution and could evade weak perimeter defenses, reinforcing that rapid patching and thorough incident response were essential.
Jun 8, 2026
Microsoft Exchange Server Flaws Enabled Spoofing, Security Bypass, and SYSTEM-Level Access
Microsoft disclosed multiple vulnerabilities in on-premises **Exchange Server**, including **CVE-2021-31207** (security feature bypass), **CVE-2021-31209** (spoofing), and **CVE-2022-41040** (elevation of privilege). The issues affected Exchange deployments rather than **Exchange Online**, extending a pattern of high-impact weaknesses in the mail platform that could undermine trust boundaries, enable impersonation, and weaken built-in protections. Among them, **CVE-2022-41040** was rated **Critical** with a **CVSS 3.1 score of 8.8**, and Microsoft said exploitation had been detected in the wild before public disclosure. The flaw required an authenticated attacker with low privileges and no user interaction, and successful exploitation could allow the attacker to run **PowerShell** as **`SYSTEM`**. Microsoft later released security updates and directed Exchange Server customers to apply mitigations and patches for the reported zero-day issues.
May 25, 2026