IRONSMITHINTEL
CRITICALCVSS9.8
|
Actively Exploited
|CISA KEV|CVE-2021-26855|Auth: none|Reboot: required|Est. 60–120 minutes including reboot|Manual only

KB5000871: Windows Server 2016 / 2019 Security Update (May 2026)

Unpatched Exchange servers are fully compromised by unauthenticated attackers over the internet — ProxyLogon was exploited by nation-state actors before Microsoft released the patch.

Published May 7, 2026 · Updated May 29, 2026
XLinkedIn
Why patchRisk explained in plain English
Worst-case scenarioIf unpatched

An attacker with network access to Exchange's HTTPS port (443) can authenticate as any Exchange user without credentials, then write a web shell to the Exchange server. From there they have SYSTEM-level code execution, access to all email on the server, and typically a foothold into the Active Directory domain since Exchange servers are highly privileged by default.

How the attack worksNo clicks needed

Microsoft Exchange Server contains a server-side request forgery (SSRF) vulnerability in its Exchange Control Panel that allows an unauthenticated attacker to send arbitrary HTTP requests as the Exchange server account. When chained with CVE-2021-27065, an attacker can write a web shell to disk and achieve remote code execution. The Exchange server account runs as SYSTEM, so exploitation results in full server compromise.

📧

Phishing link

🖼

Malicious file

🔓

Server compromised

Am I affected?Quick check

Probably yes if any of these apply:

All on-premises Exchange Server deployments
Hybrid Exchange environments
Running Exchange Server 2013 CU23, 2016 CU18/CU19, 2019 CU7/CU8

Affected OS versions

Windows Server 2016Windows Server 2019
Fixed inKB5000871 (applies to 24 product versions)
Real-world incidentsWhat we've seen

The HAFNIUM threat group exploited ProxyLogon in targeted attacks against US defence contractors, law firms, and infectious disease researchers before the patch was available. After public disclosure, over 250,000 Exchange servers were found to be compromised within days. Many organisations discovered web shells months after the fact when reviewing logs.

How to patch

Manual download

For air-gapped servers or out-of-band deployment. Microsoft Update Catalog returns every OS-version variant of this update.

↗ Microsoft Update CatalogKB5000871

Manual remediation steps

60–120 minutes including reboot

Apply the Microsoft Security Update

Microsoft has released an official security update that fixes this vulnerability.

Required KB Update

    1
    KB5000871 — https://support.microsoft.com/help/5000871

Supersedes: KB4593466, KB4602269

Affected Products

    1
    Microsoft Exchange Server 2013 Cumulative Update 21
    1
    Microsoft Exchange Server 2013 Cumulative Update 22
    1
    Microsoft Exchange Server 2013 Cumulative Update 23
    1
    Microsoft Exchange Server 2016 Cumulative Update 10
    1
    Microsoft Exchange Server 2016 Cumulative Update 11
    1
    Microsoft Exchange Server 2016 Cumulative Update 12
    1
    Microsoft Exchange Server 2016 Cumulative Update 13
    1
    Microsoft Exchange Server 2016 Cumulative Update 14
    1
    Microsoft Exchange Server 2016 Cumulative Update 15
    1
    Microsoft Exchange Server 2016 Cumulative Update 16
    1
    Microsoft Exchange Server 2016 Cumulative Update 17
    1
    Microsoft Exchange Server 2016 Cumulative Update 18
    1
    Microsoft Exchange Server 2016 Cumulative Update 19
    1
    Microsoft Exchange Server 2016 Cumulative Update 8
    1
    Microsoft Exchange Server 2016 Cumulative Update 9
    1
    Microsoft Exchange Server 2019
    1
    Microsoft Exchange Server 2019 Cumulative Update 1
    1
    Microsoft Exchange Server 2019 Cumulative Update 2
    1
    Microsoft Exchange Server 2019 Cumulative Update 3
    1
    Microsoft Exchange Server 2019 Cumulative Update 4
    1
    (…4 more product versions)

Installation Methods

Windows Update (recommended)

1
Settings → Windows Update → Check for updates
2
The security update is offered if your system is in scope
3
Restart when prompted (may or may not be required for this update)

Microsoft Update Catalog (manual download)

1
Open https://catalog.update.microsoft.com
2
Search for KB5000871
3
Download the package matching your OS architecture and Windows build
4
Run the .msu installer with administrator privileges
5
Restart when prompted

WSUS / SCCM / Intune

Approve KB5000871 for the affected products in your update management console.

Microsoft Download Center Links

    1
    http://www.microsoft.com/download/details.aspx?familyid=101995fc-65a6-47af-a580-5467c5e8c94a
    1
    http://www.microsoft.com/download/details.aspx?familyid=1255ecd7-b187-4839-96c9-1fc5e05df7b6
    1
    http://www.microsoft.com/download/details.aspx?familyid=192fa60f-664a-4f3e-b19f-e295135e469b
    1
    http://www.microsoft.com/download/details.aspx?familyid=1a07c860-4149-4a9e-b9cc-6a656a7e8916
    1
    http://www.microsoft.com/download/details.aspx?familyid=221f9562-f2af-4dda-a8a3-e5a81ddc5f2b
    1
    (…19 more)

Verification

Confirm the update is installed:

Get-HotFix | Where-Object { $_.HotFixID -in @('KB5000871') }

References

    1
    Microsoft Security Response Center: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-26855
    1
    KB article: https://support.microsoft.com/help/5000871
    1
    NVD entry: https://nvd.nist.gov/vuln/detail/CVE-2021-26855
    1
    CISA KEV: https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2021-26855

Discovery Credit

Microsoft Threat Intelligence Center (MSTIC), Orange Tsai from DEVCORE research team, Volexity

PowerShell automationComing soon

No tested PowerShell script for this entry yet. We’re prioritising automation based on user demand.

References

CVE-2021-26855MSRC AdvisoryKBKB5000871

Related vulnerabilities

MEDIUM6.5

Microsoft Defender for Identity Improper Authentication — Spoofing (CVE-2025-26685)

Microsoft Defender for Identity

CVE-2025-26685

HIGH

IIS Security Updates Require Both Windows Update and Manual Configuration Review

Microsoft IIS

HIGH

Third-Party Backup Agents Are Frequently Targeted and Must Be Kept Updated