Microsoft Exchange Server is vulnerable to a Server-Side Request Forgery (SSRF) vulnerability that allows attackers to send arbitrary HTTP requests and authenticate to on-premise Exchange server. Attackers can also trick the Exchange server to execute arbitrary commands by exploiting this vulnerability.
This vulnerability is part of an attack chain. The complete attack chain allow an attacker to execute arbitrary remote code on the affected Microsoft Exchange Server. The other vulnerabilities from this attack chain are the following:
CVE-2021-26857 is an insecure deserialization vulnerability in the Unified Messaging service. Insecure deserialization is where untrusted user-controllable data is deserialized by a program. Attackers who successfully exploit this vulnerability can run their code as SYSTEM on the Exchange server.
CVE-2021-26858 is a post-authentication arbitrary file write vulnerability in Exchange. Exploiting this vulnerability could allow an attacker to write a file to any part of the target Exchange server. Attackers exploiting this vulnerability could write a file to any path on the target Exchange server.
CVE-2021-27065 is a post-authentication arbitrary file write vulnerability in Exchange. Similar to CVE-2021-26858, exploiting this vulnerability could allow an attacker to write a file to any path of the target Exchange server. The vulnerabilities affect Microsoft Exchange Server. Exchange Online is not affected.
The versions affected are:
- Microsoft Exchange Server 2013
- Microsoft Exchange Server 2016
- Microsoft Exchange Server 2019
Upgrade to the latest version of Microsoft Exchange Server.