Threat Response: Multiple Vulnerabilities in Microsoft Exchange Server



On the evening of 2 March 2021, Microsoft released information regarding targeted attacks against Microsoft Exchange Servers [1][2]. In this message, we inform you about the threat and the possible mitigations.

Microsoft released details about 4 zero day exploits being used to attack on-premises Exchange Server. The targeted vulnerabilities are registered by the following IDs and their relative CVSS-3.0 score:

  • CVE-2021-26855 (9.1)
  • CVE-2021-26857 (7.8)
  • CVE-2021-26858 (7.8)
  • CVE-2021-27065 (7.8)

The following versions are affected:

  • Microsoft Exchange Server 2013
  • Microsoft Exchange Server 2016
  • Microsoft Exchange Server 2019

At the moment of writing, Microsoft Exchange Online is reported to be not affected.

The vulnerability registered as CVE-2021-26855 can be exploited remotely, if the Exchange Server is internet-facing. The other vulnerabilities require existing access to the environment, but can act as subsequent attack vectors after initial access is obtained through CVE-2021-26855.

After the attackers gain access to the Exchange Server, they can otbtain full control over the attacked host. From there on, they may proceed with other known techniques to acquire credentials, setting up a connection to Command-and-Control servers or exfiltrate data.

Therefore, Northwave classifies the impact of the vulnerabilities as high.

Although currently no known public exploit exists, the information provided now can be used to craft new exploits. Therefore, Northwave expects a public exploit to be available soon. This will likely result in more attacks being carried out. Northwave estimates the risk of an attack to be high.

Microsoft has released out-of-band updates in order to address the vulnerabilities. We urge to update affected servers as soon as possible. Please follow the information provided by Microsoft to perform these updates [3]. If updating is not possible immediately, please make sure your Exchange servers are no longer externally reachable on port 443. This includes webmail.


Northwave will monitor any developments regarding this vulnerability. If new critical information about this threat arises, we will reach out to you. If you need additional information you can call us by phone or send us an email.

E-mail: [email protected]
Do you have an incident right now? Call our CERT number: +31 (0)85 043 7909 or 0800-1744 (alleen vanuit Nederland)

Disclaimer applies, see below.




Northwave has made every effort to make this information accurate and reliable. However, the information provided is without warranty of any kind and its use is at the sole risk of the user. Northwave does not accept any responsibility or liability for the accuracy, content, completeness, legality or reliability of the information provided. We shall not be liable for any loss or damage of whatever nature, direct or indirect, consequential or other, whether arising in contract, tort or otherwise, which may arise as a result of your use of, or inability to use, this information or any additional information provided by us in direct or indirect relation to the information provided here.