KB5000871: Microsoft Exchange Server 2013 / 2016 / 2019 Security Update (March 2021)

Pre-authentication RCE on on-premises Exchange. Chaining these four CVEs allows unauthenticated attackers to read email and install backdoors. Apply KB5000871 — this was exploited by Hafnium and at least 10 other APT groups within days of disclosure.

Published Mar 2, 2021 · Updated May 10, 2026

Why patchRisk explained in plain English

Worst-case scenarioIf unpatched

An unauthenticated attacker can read all email on the Exchange server, dump credentials, install persistent web shells, and move laterally to the rest of the network. CISA confirmed exploitation by nation-state actors against US government agencies. The attack requires only HTTPS access to Exchange — no credentials, no phishing.

How the attack worksNo clicks needed

Exchange's Outlook Web Access and Exchange Control Panel expose HTTP endpoints that fail to validate authentication properly (CVE-2021-26855 — SSRF). Chained with three post-auth vulnerabilities, an attacker can achieve unauthenticated remote code execution and write web shells to disk.

📧

Phishing link

→

🖼

Malicious file

🔓

Server compromised

Am I affected?Quick check

Probably yes if any of these apply:

●Exchange Administrators

●Mail Administrators

●IT Security

●All Windows Admins

●Running Exchange Server 2013 CU23, Exchange Server 2016 CU18–CU19, Exchange Server 2019 CU7–CU8

Affected OS versions

Windows Server 2012 R2Windows Server 2016Windows Server 2019

Fixed inKB5000871 (March 2021 Security Update)

Real-world incidentsWhat we've seen

Microsoft released emergency patches on March 2, 2021, acknowledging active exploitation by Hafnium (a Chinese state-sponsored group). Within two weeks, over 250,000 Exchange servers were compromised globally. Criminal ransomware groups followed within days of public PoC release. The US CISA issued Emergency Directive 21-02 requiring federal agencies to patch within 48 hours.

How to patch

Manual download

For air-gapped servers or out-of-band deployment. Microsoft Update Catalog returns every OS-version variant of this update.

↗ Microsoft Update CatalogKB5000871

Manual remediation steps

⏱ 2 hours including service restart and verification

Check Exchange Version and Patch Status

Get-ExchangeServer | Select Name, Edition, AdminDisplayVersion
# Also check installed updates:
Get-Command ExSetup | ForEach { $_.FileVersionInfo }

Check for Web Shell Indicators

# Look for recently created ASPX files in Exchange web directories
Get-ChildItem -Path "C:\inetpub\wwwroot\aspnet_client" -Recurse -Filter "*.aspx" |
Where-Object { $_.CreationTime -gt (Get-Date).AddDays(-30) }

Get-ChildItem -Path "C:\Program Files\Microsoft\Exchange Server\V15\FrontEnd\HttpProxy\owa\auth" -Recurse -Filter "*.aspx" |
Where-Object { $_.CreationTime -gt (Get-Date).AddDays(-30) }

Apply the Security Update

Download the March 2021 Exchange Security Update for your version from https://aka.ms/exchangeupdates

Run the installer from an elevated PowerShell prompt:

.\Setup.exe /IAcceptExchangeServerLicenseTerms_DiagnosticDataOFF /mode:Upgrade

Verify the update applied:

Get-Command ExSetup | ForEach { $_.FileVersionInfo }

Post-Patch: Verify No Web Shells Remain

# Run Microsoft MSERT (Safety Scanner) to detect web shells
Invoke-WebRequest -Uri "https://go.microsoft.com/fwlink/?LinkId=212732" -OutFile "$env:TEMP\msert.exe"
& "$env:TEMP\msert.exe" /Q /F:Y

PowerShell automationComing soon

No tested PowerShell script for this entry yet. We’re prioritising automation based on user demand.

References

↗ CVE-2021-26855 ↗ MSRC Advisory ↗ NVD ↗ KBKB5000871

CVEs in this update4 fixes · Patch-to-CVE mapping

Patch ID	CVE ID	Vulnerability Name / Type	CVSS	Reference
KB5000871	CVE-2021-26855	See NVD	9.8	NVD ↗
KB5000871	CVE-2021-26857	See NVD	9.8	NVD ↗
KB5000871	CVE-2021-26858	See NVD	9.8	NVD ↗
KB5000871	CVE-2021-27065	See NVD	9.8	NVD ↗