IRONSMITHINTEL
CRITICALCVSS9.8
|
Actively Exploited
|CISA KEV|CVE-2021-34473|Auth: none — unauthenticated|Reboot: service restart|Est. 2 hours including service restart|Manual only

KB5001779: Windows Server 2016 / 2019 Security Update (August 2021)

Three-bug chain enabling unauthenticated RCE on Exchange via the Autodiscover endpoint. Apply KB5004779 — publicly demonstrated at Black Hat 2021 and weaponised within days by ransomware actors.

Published Aug 10, 2021 · Updated May 29, 2026
XLinkedIn
Why patchRisk explained in plain English
Worst-case scenarioIf unpatched

Unauthenticated attackers can install persistent web shells, read all Exchange email, execute arbitrary commands as SYSTEM, and move laterally to the entire domain. ProxyShell was chained with PrintNightmare in several ransomware campaigns to achieve full domain compromise from the internet.

How the attack worksNo clicks needed

The Autodiscover endpoint normalises URLs incorrectly (CVE-2021-34473), allowing an unauthenticated attacker to reach Exchange PowerShell Remoting. Combined with an elevation of privilege bug (CVE-2021-34523) and a path traversal in the import/export mailbox feature (CVE-2021-31207), an attacker can write an ASPX web shell to an arbitrary path.

📧

Phishing link

🖼

Malicious file

🔓

Server compromised

Am I affected?Quick check

Probably yes if any of these apply:

On-premises Microsoft Exchange Servers
Internet-exposed Autodiscover endpoints
Exchange 2016/2019 servers
Running Exchange Server 2016 CU21 and earlier, Exchange Server 2019 CU10 and earlier

Affected OS versions

Windows Server 2016Windows Server 2019
Fixed inKB5001779 (applies to 5 product versions) — build 15.00.1497.015, 15.01.2176.012+
Real-world incidentsWhat we've seen

Security researcher Orange Tsai disclosed ProxyShell at Black Hat 2021 on August 5. Automated scanning for vulnerable Exchange servers began within 24 hours. By August 12, multiple ransomware groups (LockFile, Conti) were actively exploiting unpatched servers to deploy ransomware. CISA added all three CVEs to the Known Exploited Vulnerabilities catalog.

How to patch

Manual download

For air-gapped servers or out-of-band deployment. Microsoft Update Catalog returns every OS-version variant of this update.

↗ Microsoft Update CatalogKB5001779

Manual remediation steps

2 hours including service restart

Apply the Microsoft Security Update

Microsoft has released an official security update that fixes this vulnerability.

Required KB Update

    1
    KB5001779 — https://support.microsoft.com/help/5001779

Affected Products

    1
    Microsoft Exchange Server 2013 Cumulative Update 23
    1
    Microsoft Exchange Server 2016 Cumulative Update 19
    1
    Microsoft Exchange Server 2016 Cumulative Update 20
    1
    Microsoft Exchange Server 2019 Cumulative Update 8
    1
    Microsoft Exchange Server 2019 Cumulative Update 9

Fixed Build Numbers

    1
    15.00.1497.015
    1
    15.01.2176.012
    1
    15.01.2242.008
    1
    15.02.0792.013
    1
    15.02.0858.010

Installation Methods

Windows Update (recommended)

1
Settings → Windows Update → Check for updates
2
The security update is offered if your system is in scope
3
Restart when prompted — a reboot IS required to complete the install

Microsoft Update Catalog (manual download)

1
Open https://catalog.update.microsoft.com
2
Search for KB5001779
3
Download the package matching your OS architecture and Windows build
4
Run the .msu installer with administrator privileges
5
Restart when prompted

WSUS / SCCM / Intune

Approve KB5001779 for the affected products in your update management console.

Microsoft Download Center Links

    1
    http://www.microsoft.com/download/details.aspx?familyid=52da6d67-e0c4-4af0-a133-1e47217b6309
    1
    http://www.microsoft.com/download/details.aspx?familyid=5aa2aaf7-860d-4977-acd4-82096c83c5f0
    1
    http://www.microsoft.com/download/details.aspx?familyid=93809dc0-0265-4116-bc51-510ce641008b
    1
    http://www.microsoft.com/download/details.aspx?familyid=b13f23a9-5603-4b13-8e16-6d35b5b33524
    1
    http://www.microsoft.com/download/details.aspx?familyid=f827ff3b-194c-4470-aa8f-6cedc0d95d07

Verification

Confirm the update is installed:

Get-HotFix | Where-Object { $_.HotFixID -in @('KB5001779') }

References

    1
    Microsoft Security Response Center: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34473
    1
    KB article: https://support.microsoft.com/help/5001779
    1
    NVD entry: https://nvd.nist.gov/vuln/detail/CVE-2021-34473
    1
    CISA KEV: https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2021-34473

Discovery Credit

Orange Tsai(@orange_8361) from DEVCORE Research Team working with Trend Micro Zero Day Initiative

PowerShell automationComing soon

No tested PowerShell script for this entry yet. We’re prioritising automation based on user demand.

References

CVE-2021-34473MSRC AdvisoryKBKB5001779
CVEs in this update3 fixes · Patch-to-CVE mapping
Patch IDCVE IDVulnerability Name / TypeCVSSReference
KB5001779CVE-2021-34473See NVD9.8NVD ↗
KB5001779CVE-2021-34523See NVD9.8NVD ↗
KB5001779CVE-2021-31207See NVD9.8NVD ↗

Related vulnerabilities

CRITICAL9.8

KB5000871: Microsoft Exchange Server 2013 / 2016 / 2019 Security Update (March 2021)

Microsoft Exchange Server

CVE-2021-26855

CRITICAL8.8

KB5019758: Microsoft Exchange Server 2013 / 2016 / 2019 Security Update (October 2022)

Microsoft Exchange Server

CVE-2022-41040

MEDIUM6.5

KB5002741: Windows Server Security Update (July 2025)

Microsoft SharePoint

CVE-2025-49706