CVE-2021-26855: Microsoft Exchange — ProxyLogon SSRF

Background

Microsoft Exchange Server is the email backbone for a significant chunk of the corporate world. On-premises deployments are particularly common in government, healthcare, and financial services — sectors that, for various regulatory or legacy reasons, never made the jump to cloud-hosted mail. That makes Exchange a high-value target: compromise it and you own the organisation’s email, calendar, contact data, and often a foothold on the domain itself.

CVE-2021-26855 is the anchor vulnerability in the ProxyLogon chain, disclosed by Microsoft in March 2021 after DEVCORE researcher Orange Tsai reported it. DEVCORE had found the full exploit chain — this SSRF bug plus CVE-2021-27065 (a post-auth arbitrary file write) — and Microsoft was mid-patch when Chinese threat actors began exploiting it in the wild. By the time patches dropped on 2 March 2021, thousands of organisations had already been compromised.

Technical Mechanism

Exchange’s Client Access Service (CAS) handles incoming connections and proxies them to the appropriate backend. The vulnerability exists in the way CAS processes the X-BEResource cookie, which is used to identify the backend Exchange server.

By crafting a malicious X-BEResource cookie value, an attacker can force Exchange to make HTTP requests to arbitrary internal hosts — that’s the SSRF. More critically, Exchange authenticates to the backend using its own credentials, so the attacker can bypass authentication entirely by routing requests through the SSRF.

The exploit chain in practice:

1. Send a crafted HTTP request to /owa/ or /ecp/ with a malicious X-BEResource cookie pointing to localhost:444
2. Exchange proxies the request with Authorization: Basic <base64(machine-account-creds)> headers appended — giving you authenticated access to the Exchange backend without any credentials
3. Use this authenticated access to write a webshell (via CVE-2021-27065, which allows writing to arbitrary paths on disk)
4. Execute commands through the webshell

The SSRF itself doesn’t execute code. It’s the chain that kills you — 26855 gets authentication, 27065 drops the shell.

Real-World Exploitation Evidence

HAFNIUM (a China-nexus APT) was the first group confirmed exploiting this in the wild, beginning around January 2021. They used the access to install China Chopper webshells and deploy Covenant post-exploitation frameworks.

Within days of the March 2021 patch release, at least 10 other threat groups jumped in. These included:

• LockFile ransomware operators — used ProxyLogon to pivot into AD and deploy ransomware
• Tick (Bronze Butler) — dropped custom implants on Exchange servers to establish persistent access
• Calypso APT — nation-state actor targeting government networks
• Websiic — a previously unknown group identified by ESET exploiting this at scale

CISA and the FBI issued a joint advisory noting that tens of thousands of US organisations were compromised before patches were applied.

Impact Assessment

Full compromise of an Exchange server means:

• Complete email access — read, send, delete any email in the organisation
• Credential harvesting — Exchange stores hashed credentials; attackers routinely dump these
• Lateral movement — Exchange servers typically run as high-privilege accounts; from Exchange, attackers can often hit AD directly
• Persistent backdoors — webshells survive patching if not removed, so patching alone doesn’t clean up a compromise
• Ransomware deployment — multiple ransomware families used this as an initial access vector

Organisations that were compromised but didn’t notice until after patching often found webshells that had been sitting there for weeks.

Affected Versions

Exchange Online (Microsoft 365) is not affected.

Remediation Steps

1. Apply the March 2021 security updates immediately — KB5000871 for Exchange 2013/2016/2019
2. Run the Microsoft Safety Scanner (MSERT) to detect webshells
3. Use the Test-ProxyLogon.ps1 script from Microsoft to check for signs of exploitation
4. Search IIS logs for requests to /owa/ or /ecp/ with X-BEResource cookies containing unusual values
5. Audit the \inetpub\wwwroot\aspnet_client\ and Exchange OWA/ECP directories for .aspx or .ashx files not part of the original installation
6. If webshells are found, treat the entire host as compromised — rebuild from known-good backup or reinstall
7. Reset all service accounts associated with Exchange, including machine account passwords where applicable
8. Enable Enhanced Mitigation Experience Toolkit (EMET) or equivalent application control

Detection Guidance

IIS logs — look for POST requests to /owa/ or /ecp/ paths with X-BEResource headers containing localhost:444. Baseline your IIS logs and alert on any new .aspx files served from non-standard paths.

Windows Event Logs — Event ID 4624 (logon) from the Exchange machine account to itself is suspicious and may indicate SSRF exploitation.

File system monitoring — watch for new .aspx files created under C:\inetpub\wwwroot\aspnet_client\ or Exchange application directories.

Suricata signature:

alert http any any -> any 443 (msg:"ProxyLogon CVE-2021-26855 SSRF Attempt"; flow:established,to_server; http.header; content:"X-BEResource"; content:"localhost:444"; fast_pattern; classtype:web-application-attack; sid:2034001; rev:1;)

IOCs from HAFNIUM campaigns:

• Webshell paths: /aspnet_client/shell.aspx, /owa/auth/current/themes/resources/logon.aspx
• Covenant C2 infrastructure (check current threat intel feeds for current IPs)

Timeline