Pre-Authentication SSRF in Exchange Leads to Remote Code Execution

Unpatched Exchange servers are fully compromised by unauthenticated attackers over the internet — ProxyLogon was exploited by nation-state actors before Microsoft released the patch.

Published May 7, 2026

Why patchRisk explained in plain English

Worst-case scenarioIf unpatched

An attacker with network access to Exchange's HTTPS port (443) can authenticate as any Exchange user without credentials, then write a web shell to the Exchange server. From there they have SYSTEM-level code execution, access to all email on the server, and typically a foothold into the Active Directory domain since Exchange servers are highly privileged by default.

How the attack worksNo clicks needed

Microsoft Exchange Server contains a server-side request forgery (SSRF) vulnerability in its Exchange Control Panel that allows an unauthenticated attacker to send arbitrary HTTP requests as the Exchange server account. When chained with CVE-2021-27065, an attacker can write a web shell to disk and achieve remote code execution. The Exchange server account runs as SYSTEM, so exploitation results in full server compromise.

📧

Phishing link

→

🖼

Malicious file

🔓

Server compromised

Am I affected?Quick check

Probably yes if any of these apply:

●All on-premises Exchange Server deployments

●Hybrid Exchange environments

●Running Exchange Server 2013 CU23, 2016 CU18/CU19, 2019 CU7/CU8

Affected OS versions

Windows Server 2016Windows Server 2019

Fixed inExchange Server 2016 CU19+, 2019 CU8+ with March 2021 SU

Real-world incidentsWhat we've seen

The HAFNIUM threat group exploited ProxyLogon in targeted attacks against US defence contractors, law firms, and infectious disease researchers before the patch was available. After public disclosure, over 250,000 Exchange servers were found to be compromised within days. Many organisations discovered web shells months after the fact when reviewing logs.

How to patch

Manual remediation steps

⏱ 60–120 minutes including reboot

Step 1 — Check Exchange Version and Patch Level

# Run on Exchange server
Get-ExchangeDiagnosticInfo -Server $env:COMPUTERNAME -Process EdgeTransport -Component VariantConfiguration -Settings GetSettingOverrides | Format-List

# Check installed Exchange updates
Get-Command exsetup.exe | ForEach-Object { $_.FileVersionInfo }

Step 2 — Apply Security Update

Download the March 2021 Security Update from Microsoft: microsoft.com/download

Run the installer as Administrator

Reboot after installation

Step 3 — Check for Existing Compromise

# Microsoft released a detection script — download and run:
# https://github.com/microsoft/CSS-Exchange/tree/main/Security
# Run Test-ProxyLogon.ps1 on all Exchange servers
.\Test-ProxyLogon.ps1 -OutPath C:\Temp\ProxyLogon_Results

# Check for suspicious ASPX files in Exchange directories
Get-ChildItem -Path 'C:\inetpub\wwwroot\aspnet_client' -Recurse -Filter '*.aspx' |
    Select-Object FullName, LastWriteTime, Length | Format-Table -AutoSize

Get-ChildItem -Path 'C:\Program Files\Microsoft\Exchange Server' -Recurse -Filter '*.aspx' |
    Where-Object { $_.LastWriteTime -gt (Get-Date).AddMonths(-6) } |
    Select-Object FullName, LastWriteTime

Verification

# Confirm patch level shows March 2021 SU or later
Get-ItemProperty 'HKLM:\SOFTWARE\Microsoft\ExchangeServer\v15\Setup' | Select-Object MsiProductMajor, MsiProductMinor, MspFileVersion

PowerShell automationComing soon

No tested PowerShell script for this entry yet. We’re prioritising automation based on user demand.

References

↗ CVE-2021-26855 ↗ MSRC Advisory ↗ NVD