CVE-2021-26855 Explained: ProxyLogon and the Microsoft Exchange Mass Exploitation Event
A server-side request forgery vulnerability in Microsoft Exchange that bypasses authentication and chains with three additional CVEs to achieve pre-authentication RCE. Every on-premises Exchange server on the internet was targeted within days of patch release.

Retool's new app builder is where AI-generated code ships safely
Building apps with AI is easy. Getting them to production safely is another story.
CVE-2021-26855, known as ProxyLogon, is a critical server-side request forgery vulnerability in Microsoft Exchange Server. Discovered by DEVCORE researcher Orange Tsai and reported to Microsoft in January 2021, Microsoft released an emergency out-of-band patch on March 2, 2021, one week after learning that the Chinese nation-state threat actor HAFNIUM was already exploiting it in the wild.
The vulnerability allows an unauthenticated remote attacker to bypass Exchange authentication by abusing a flaw in how the Exchange frontend proxy handles HTTP requests. When chained with CVE-2021-27065 (post-auth arbitrary file write), CVE-2021-26857 (insecure deserialization), and CVE-2021-26858 (post-auth arbitrary file write), an attacker achieves full pre-authentication remote code execution.
Within days of patch release, over 250,000 Exchange servers had been backdoored with web shells. Within two weeks, ten or more distinct threat actor groups were exploiting ProxyLogon, including ransomware operators, cryptominers, and multiple nation-state APTs.
How CVE-2021-26855 Works: The ProxyLogon Exploit Chain
Exchange Server exposes a frontend proxy service (accessible externally on port 443) and a backend Exchange store service. The frontend proxy is supposed to authenticate requests before forwarding them to the backend.
CVE-2021-26855 is an SSRF vulnerability in the frontend proxy. By sending a crafted HTTP request with a manipulated Cookie header, an attacker causes Exchange to make HTTP requests to internal backend endpoints on behalf of the attacker, bypassing authentication entirely and impersonating any user, including Exchange administrators.
With administrator access established via CVE-2021-26855, CVE-2021-27065 is used to write a web shell to a publicly accessible directory on the Exchange server. The attacker then accesses the web shell via HTTP to execute arbitrary commands with SYSTEM privileges.
SSRF Authentication Bypass (CVE-2021-26855)
Attacker sends a crafted HTTP POST to the Exchange Autodiscover endpoint with a manipulated Cookie header. The frontend proxy makes an authenticated backend request on the attacker's behalf, bypassing authentication.
Impersonate Administrator
The SSRF allows the attacker to make Exchange Web Services API calls as any user, including administrators. No password is required.
Write Web Shell (CVE-2021-27065)
Using the administrator session, attacker abuses the Exchange Control Panel to write a malicious .aspx web shell to a writable directory on the Exchange server.
Execute Arbitrary Commands
Attacker accesses the web shell via HTTPS, executing commands with SYSTEM privileges. Full domain compromise often follows within hours.
Affected Versions
CVE-2021-26855 affects on-premises Microsoft Exchange Server installations only. Exchange Online (Microsoft 365) is not affected.
Vulnerable versions: Exchange Server 2013 (all Cumulative Updates), Exchange Server 2016 (CU18 and CU19), Exchange Server 2019 (CU7 and CU8). Exchange Server 2010 received an exceptional out-of-band patch despite being end-of-support.
Briefings like this, every morning before 9am.
Threat intel, active CVEs, and campaign alerts, distilled for practitioners. 50,000+ subscribers. No noise.
Detection and Patch Guidance
Microsoft released a ProxyLogon detection script (Test-ProxyLogon.ps1). Run this on all on-premises Exchange servers immediately. Key indicators: unexpected .aspx files in aspnet_client directories, suspicious HttpProxy log entries with external IPs in Cookie headers, and SYSTEM-level process spawns from w3wp.exe.
Subscribe to unlock Remediation & Mitigation steps
Free subscribers unlock full IOC lists, Sigma detection rules, remediation steps, and every daily briefing.
The bottom line
ProxyLogon remains one of the most consequential vulnerability disclosures of the 2020s. If your organization runs on-premises Exchange Server, the checklist is: patch applied, web shell scan completed, HttpProxy logs reviewed, and credential rotation completed if any indicators were found. On-premises Exchange continues to be a high-value target, consider migrating to Exchange Online.
This analysis is generic — the platform version scores threats like this against your own stack.
Frequently asked questions
What is ProxyLogon (CVE-2021-26855)?
ProxyLogon is a critical SSRF vulnerability in Microsoft Exchange Server's frontend proxy. An unauthenticated attacker sends a crafted HTTP request to bypass authentication and impersonate any Exchange user. Chained with CVE-2021-27065 (arbitrary file write), it enables pre-authentication RCE with SYSTEM privileges. Over 250,000 servers were backdoored within days of disclosure.
Is Exchange Online affected by ProxyLogon?
No. CVE-2021-26855 only affects on-premises Exchange Server installations (2013, 2016, 2019). Microsoft 365 / Exchange Online is not affected.
How do I check if my Exchange server was compromised by ProxyLogon?
Run Microsoft's official Test-ProxyLogon.ps1 script on all Exchange servers. Check C:\inetpub\wwwroot\aspnet_client\ for unexpected .aspx files. Review HTTP proxy logs for Cookie header manipulation from external IPs. Rotate all credentials if compromise indicators are found.
What is HAFNIUM and why did it target CVE-2021-26855?
HAFNIUM is a Chinese state-sponsored threat actor attributed to Chinese government operations. Microsoft identified HAFNIUM as the first known group exploiting CVE-2021-26855 before the patch was released, targeting US-based organizations across defense contractors, law firms, infectious disease researchers, and policy think tanks. HAFNIUM's primary objective was intelligence collection, specifically harvesting email content from on-premises Exchange servers. The group operated from leased US-based virtual private servers to obfuscate origin, then used web shells planted via ProxyLogon for persistent mailbox access.
Which Exchange Server versions are affected by CVE-2021-26855?
CVE-2021-26855 affects on-premises Exchange Server 2013, 2016, and 2019. Microsoft also released out-of-band patches for Exchange Server 2010 as a precaution despite its end-of-support status. Exchange Online (Microsoft 365) is not affected because Microsoft manages patching for cloud-hosted Exchange. Organizations must apply both the required Cumulative Update (CU) and the Security Update (SU) for their Exchange version, the security update must be applied on top of a supported CU.
How do I scan my Exchange server for ProxyLogon web shells?
Run Microsoft's Test-ProxyLogon.ps1 script: it scans HTTP proxy logs, Exchange web directories, and configuration files for ProxyLogon IOCs. Key locations to check manually: C:\inetpub\wwwroot\aspnet_client\ and C:\Program Files\Microsoft\Exchange Server\V15\FrontEnd\HttpProxy\owa\auth\ for unexpected .aspx files. Search Exchange IIS logs for POST requests from external IPs to Autodiscover, EWS, or ECP paths with Cookie header manipulation. Any unexpected .aspx file in web-accessible Exchange directories should be treated as a web shell until proven otherwise.
Sources & references
- Microsoft Security Response Center
- Volexity Research
- CISA Emergency Directive 21-02
- NIST NVD
Free resources
Critical CVE Reference Card 2025–2026
25 actively exploited vulnerabilities with CVSS scores, exploit status, and patch availability. Print it, pin it, share it with your SOC team.
Ransomware Incident Response Playbook
Step-by-step 24-hour IR checklist covering detection, containment, eradication, and recovery. Built for SOC teams, IR leads, and CISOs.
Get threat intel before your inbox does.
50,000+ security professionals read Decryption Digest for early warnings on zero-days, ransomware, and nation-state campaigns. Free, daily, no spam.
Unsubscribe anytime. We never sell your data.

Founder & Cybersecurity Evangelist, Decryption Digest
Cybersecurity professional with expertise in threat intelligence, vulnerability research, and enterprise security. Covers zero-days, ransomware, and nation-state operations for 50,000+ security professionals every morning.
Win a $2,495 Black Hat pass.
Full-access to Black Hat USA 2026 in Las Vegas. Subscribe free to enter.
