KB5000871: Microsoft Exchange Server 2013 / 2016 / 2019 Security Update (March 2021)
Pre-authentication RCE on on-premises Exchange. Chaining these four CVEs allows unauthenticated attackers to read email and install backdoors. Apply KB5000871 — this was exploited by Hafnium and at least 10 other APT groups within days of disclosure.
An unauthenticated attacker can read all email on the Exchange server, dump credentials, install persistent web shells, and move laterally to the rest of the network. CISA confirmed exploitation by nation-state actors against US government agencies. The attack requires only HTTPS access to Exchange — no credentials, no phishing.
Exchange's Outlook Web Access and Exchange Control Panel expose HTTP endpoints that fail to validate authentication properly (CVE-2021-26855 — SSRF). Chained with three post-auth vulnerabilities, an attacker can achieve unauthenticated remote code execution and write web shells to disk.
📧
Phishing link
🖼
Malicious file
🔓
Server compromised
Probably yes if any of these apply:
Affected OS versions
Microsoft released emergency patches on March 2, 2021, acknowledging active exploitation by Hafnium (a Chinese state-sponsored group). Within two weeks, over 250,000 Exchange servers were compromised globally. Criminal ransomware groups followed within days of public PoC release. The US CISA issued Emergency Directive 21-02 requiring federal agencies to patch within 48 hours.
Manual download
For air-gapped servers or out-of-band deployment. Microsoft Update Catalog returns every OS-version variant of this update.
↗ Microsoft Update CatalogKB5000871Manual remediation steps
⏱ 2 hours including service restart and verificationApply the Microsoft Security Update
Microsoft has released an official security update that fixes this vulnerability.
Required KB Update
Supersedes: KB4593466, KB4602269
Affected Products
Installation Methods
Windows Update (recommended)
Microsoft Update Catalog (manual download)
.msu installer with administrator privilegesWSUS / SCCM / Intune
Approve KB5000871 for the affected products in your update management console.
Microsoft Download Center Links
Verification
Confirm the update is installed:
Get-HotFix | Where-Object { $_.HotFixID -in @('KB5000871') }
References
Discovery Credit
Microsoft Threat Intelligence Center (MSTIC), Orange Tsai from DEVCORE research team, Volexity
No tested PowerShell script for this entry yet. We’re prioritising automation based on user demand.
| Patch ID | CVE ID | Vulnerability Name / Type | CVSS | Reference |
|---|---|---|---|---|
| KB5000871 | CVE-2021-26855 | See NVD | 9.8 | NVD ↗ |
| KB5000871 | CVE-2021-26857 | See NVD | 9.8 | NVD ↗ |
| KB5000871 | CVE-2021-26858 | See NVD | 9.8 | NVD ↗ |
| KB5000871 | CVE-2021-27065 | See NVD | 9.8 | NVD ↗ |
Related vulnerabilities
KB5001779: Windows Server 2016 / 2019 Security Update (August 2021)
Microsoft Exchange Server
CVE-2021-34473
CRITICAL8.8KB5019758: Microsoft Exchange Server 2013 / 2016 / 2019 Security Update (October 2022)
Microsoft Exchange Server
CVE-2022-41040
MEDIUM6.5KB5002741: Windows Server Security Update (July 2025)
Microsoft SharePoint
CVE-2025-49706