KB5004779: Microsoft Exchange Server 2016 / 2019 Security Update (August 2021)

Three-bug chain enabling unauthenticated RCE on Exchange via the Autodiscover endpoint. Apply KB5004779 — publicly demonstrated at Black Hat 2021 and weaponised within days by ransomware actors.

Published Aug 10, 2021 · Updated May 10, 2026

Why patchRisk explained in plain English

Worst-case scenarioIf unpatched

Unauthenticated attackers can install persistent web shells, read all Exchange email, execute arbitrary commands as SYSTEM, and move laterally to the entire domain. ProxyShell was chained with PrintNightmare in several ransomware campaigns to achieve full domain compromise from the internet.

How the attack worksNo clicks needed

The Autodiscover endpoint normalises URLs incorrectly (CVE-2021-34473), allowing an unauthenticated attacker to reach Exchange PowerShell Remoting. Combined with an elevation of privilege bug (CVE-2021-34523) and a path traversal in the import/export mailbox feature (CVE-2021-31207), an attacker can write an ASPX web shell to an arbitrary path.

📧

Phishing link

→

🖼

Malicious file

🔓

Server compromised

Am I affected?Quick check

Probably yes if any of these apply:

●Exchange Administrators

●Mail Administrators

●IT Security

●Running Exchange Server 2016 CU21 and earlier, Exchange Server 2019 CU10 and earlier

Affected OS versions

Windows Server 2016Windows Server 2019

Fixed inKB5004779 (August 2021 Security Update)

Real-world incidentsWhat we've seen

Security researcher Orange Tsai disclosed ProxyShell at Black Hat 2021 on August 5. Automated scanning for vulnerable Exchange servers began within 24 hours. By August 12, multiple ransomware groups (LockFile, Conti) were actively exploiting unpatched servers to deploy ransomware. CISA added all three CVEs to the Known Exploited Vulnerabilities catalog.

How to patch

Manual download

For air-gapped servers or out-of-band deployment. Microsoft Update Catalog returns every OS-version variant of this update.

↗ Microsoft Update CatalogKB5004779

Manual remediation steps

⏱ 2 hours including service restart

Check Exposure (Autodiscover reachable from internet?)

# From the Exchange server, check if Autodiscover is externally accessible
Resolve-DnsName autodiscover.yourdomain.com
# If this resolves to a public IP, the server is potentially exposed

Verify Installed Exchange Build

Get-Command ExSetup | ForEach { $_.FileVersionInfo }
# Vulnerable: Exchange 2016 < 15.1.2308.14, Exchange 2019 < 15.2.986.14

Apply the Update

Download KB5004779 for your Exchange version from Microsoft Update Catalog

Run from an elevated PowerShell prompt:

.\Setup.exe /IAcceptExchangeServerLicenseTerms_DiagnosticDataOFF /mode:Upgrade

Confirm and Check for Web Shells

# Verify updated version
Get-Command ExSetup | ForEach { $_.FileVersionInfo }

# Scan for web shells in common locations
$paths = @(
  "C:\inetpub\wwwroot\aspnet_client",
  "C:\Program Files\Microsoft\Exchange Server\V15\FrontEnd\HttpProxy",
  "C:\Program Files\Microsoft\Exchange Server\V15\ClientAccess"
)
foreach ($p in $paths) {
  Get-ChildItem $p -Recurse -Include "*.aspx","*.ashx" |
  Where-Object { $_.CreationTime -gt "2021-08-01" } |
  Select-Object FullName, CreationTime
}

PowerShell automationComing soon

No tested PowerShell script for this entry yet. We’re prioritising automation based on user demand.

References

↗ CVE-2021-34473 ↗ MSRC Advisory ↗ NVD ↗ KBKB5004779

CVEs in this update3 fixes · Patch-to-CVE mapping

Patch ID	CVE ID	Vulnerability Name / Type	CVSS	Reference
KB5004779	CVE-2021-34473	See NVD	9.8	NVD ↗
KB5004779	CVE-2021-34523	See NVD	9.8	NVD ↗
KB5004779	CVE-2021-31207	See NVD	9.8	NVD ↗