CVE-2021-26855 is a Server-Side Request Forgery (SSRF) vulnerability in the Microsoft Exchange Server. It can be used by an unauthenticated remote attacker to determine the Exchange service initiate HTTPS requests to arbitrary locations. These requests are performed on behalf of the Exchange service, thus they are authenticated and contain access tokens and other sensitive data.
As a direct result, an attacker could forge requests to read emails
of the users configured on that email server.
A forged request contains interesting pieces of data like
, etc. Here is how a full HTTP request initiated by the Exchange server looks like:
When exploited in conjunction with another vulnerability, such as CVE-2021-27065 (post-authentication file write), this vulnerability can lead to unauthenticated Remote Code Execution on the Exchange server. This attack chain was named ProxyLogon
The ProxyLogon attack was massively used to exploit a large number of Microsoft Exchange servers exposed to the Internet by creating web shells in various locations on the file system.
We recommend performing an in depth review of vulnerable Exchange servers in order to determine if the server was already exploited by malicious actors.
Microsoft has released a tool to check if there are new files present on the exchange server:
More details about this vulnerability: