Skip to main content
Mallory
Back to vulnerabilities
HighCISA KEVExploited in the wildPublic exploit

Microsoft Exchange Unified Messaging insecure deserialization RCE

IdentifiersCVE-2021-26857CWE-502· Deserialization of Untrusted Data

CVE-2021-26857 is a remote code execution vulnerability in the Microsoft Exchange Server Unified Messaging (UM) service. The flaw is described in the provided content as an insecure deserialization issue in Microsoft Unified Messaging on on-premises Exchange Server. Successful exploitation allows arbitrary code execution in the context of NT AUTHORITY\SYSTEM on the Exchange server. The vulnerability was one of the March 2021 Exchange flaws commonly chained with CVE-2021-26855, CVE-2021-26858, and CVE-2021-27065 during ProxyLogon intrusions. The content specifically notes that UM-related processes such as umworkerprocess.exe and umservice.exe spawning suspicious child processes were observed in exploitation activity.

Share:
For your environment

Are you exposed to this one?

Mallory correlates every CVE against your assets, your vendors, and active adversary campaigns. Know which vulnerabilities matter for you, not just which ones are loud.

Start free trial
ANALYST BRIEF

Impact, mitigation & remediation

What it means. What to do now. Patch path, mitigations, and the assume-compromise checklist.

Impact

What an attacker gets, and what they’ve been doing with it.

Successful exploitation enables arbitrary code execution as SYSTEM on the vulnerable Exchange server. In operational use, this can provide full server compromise, deployment of web shells or additional malware, credential theft, mailbox and file access, persistence, lateral movement, and potential compromise of Active Directory and broader enterprise identity infrastructure when chained with other Exchange flaws or valid administrative credentials.

Mitigation

If you can’t patch tonight, do this now.

If immediate patching is not possible, the provided content recommends temporary mitigations including restricting untrusted connections to port 443, blocking external access to /owa/ and /ecp/, or disconnecting vulnerable on-premises Exchange servers from the internet. Additional defensive measures supported by the content include placing Exchange behind a VPN, hunting for suspicious .aspx web shells and anomalous IIS/ECP activity, monitoring for UM processes spawning child processes, and assuming credential/identity compromise if exploitation is confirmed.

Remediation

Patch, then assume compromise.

Apply Microsoft's March 2021 security updates for Exchange Server addressing CVE-2021-26857. The provided content states updates were released for supported on-premises Exchange Server 2010, 2013, 2016, and 2019 builds, with additional temporary updates also released for certain older cumulative updates. Microsoft instructed administrators to install the relevant update packages, reboot after installation, and continue upgrading to the latest supported cumulative update because temporary fixes do not make unsupported builds supported and later CU installation without the March 2021 fixes can reintroduce exposure. If compromise is suspected, investigate for indicators of compromise, including suspicious UM child processes and web shells, using Microsoft and CISA guidance and tools such as Test-ProxyLogon.ps1 and EOMT.ps1.
PUBLIC EXPLOITS

Exploits

1 valid exploit after Mallory filtered fakes, detection scripts, and README-only repos (2 hidden).

VALID 1 / 3 TOTALView more in app
Proxylogon-exploitMaturityPoCVerified exploit

This repository contains a Python exploit (exploit.py) for the ProxyLogon vulnerability (CVE-2021-26857) in Microsoft Exchange Server. The exploit targets unpatched Exchange servers accessible over HTTPS and requires a valid email address on the target system. The script performs a series of HTTP requests to the Exchange Control Panel (ECP) endpoints to authenticate, escalate privileges, and ultimately write a JScript/ASP.NET web shell to the server's OWA authentication directory. The web shell allows remote code execution by sending commands via HTTP POST requests. The repository includes a README with usage instructions and a single exploit script. The exploit is operational and provides a working web shell payload, but is not part of a larger framework.

sirpedrotavaresDisclosed Mar 11, 2021pythonnetwork
EXPOSURE SURFACE

Affected products & vendors

Products and vendors Mallory has correlated with this vulnerability. Open in Mallory to drill down to specific CPE configurations and version ranges.

VendorProductType
Microsoft CorporationExchange Serverapplication

Vendor-confirmed product mapping. Mallory continuously reconciles this list against your asset inventory.

ACTIVITY FEED

Recent activity

30 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

30 SOURCESView more in app
polyswarmNews
May 15, 2026
SHADOW-EARTH-053 Uses Legacy Exchange Exploitation to Target Asia-Pacific Governments

A specific Microsoft Exchange Server vulnerability that is part of the ProxyLogon exploit chain used by SHADOW-EARTH-053 for initial compromise.

Read more
cyber security newsNews
May 5, 2026
China-Aligned SHADOW-EARTH-053 Exploits Exchange Servers to Deploy ShadowPad Malware

A Microsoft Exchange Server vulnerability that is part of the ProxyLogon exploit chain used to compromise unpatched internet-facing Exchange servers for espionage operations.

Read more
cyber security newsNews
May 1, 2026
China-Aligned Attackers Use ShadowPad, IOX Proxy, and WMIC in Multi-Stage Espionage Campaign

A Microsoft Exchange Server vulnerability that is part of the ProxyLogon exploit chain used by the threat group for initial access into unpatched Exchange environments.

Read more
register securityNews
Apr 30, 2026
Chinese spy group caught lurking in Poland, Asia networks • The Register

A Microsoft Exchange Server vulnerability referenced as part of the ProxyLogon exploit chain used to achieve remote code execution.

Read more
+21 more in the timeline
What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets are affected, which adversaries are exploiting it right now, which detections to deploy, and what to do tonight.
Start free trial
Exposure mapping

Query your assets running an affected version, and investigate the blast radius.

Threat actor evidence29

Every observed campaign linking this CVE to a named adversary.

Associated malware23

Malware families riding this exploit, with evidence and IOCs.

Detection signatures2

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

Vendor-by-vendor mapping

Cross-references every affected SKU, including bundled OEM variants.

Social activity1

Community discussion across Reddit, Mastodon, and other social sources.

EXTERNAL REFERENCES
MITRE CVE
cve.org · CVE-2021-26857
NVD
nvd.nist.gov/vuln/detail/CVE-2021-26857
MITRE CWE · CWE-502
Deserialization of Untrusted Data
Patch
portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-26857
US Government Resource
cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2021-26857