CVE-2021-26858: 
vulnerability analysis and mitigation

CVE-2021-26858 is a Microsoft Exchange Server Remote Code Execution Vulnerability discovered in early 2021. The vulnerability affects on-premises versions of Microsoft Exchange Server, while Microsoft Exchange Online is not affected. This vulnerability was one of four zero-day vulnerabilities (alongside CVE-2021-26855, CVE-2021-26857, and CVE-2021-27065) that were actively exploited in the wild (Tenable Blog).

CVE-2021-26858 is an arbitrary file write vulnerability in Microsoft Exchange Server. The vulnerability has a CVSS v3.1 base score of 7.8 (High) with the vector string CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H. This is a post-authentication vulnerability, meaning an attacker would first need to authenticate to the vulnerable Exchange Server before exploitation. Authentication could be achieved either through exploiting CVE-2021-26855 or by using stolen administrator credentials (NVD).

When successfully exploited, this vulnerability allows an authenticated attacker to write arbitrary files to any path on the vulnerable server. The vulnerability has been observed being used in conjunction with other Exchange Server vulnerabilities to deploy web shells, steal credentials, and exfiltrate mailbox data and offline address books (Tenable Blog).

Microsoft released out-of-band security updates on March 2, 2021, to address this vulnerability along with the other related Exchange Server vulnerabilities. The patches are available for Exchange Server 2013 Cumulative Update 23, Exchange Server 2016 Cumulative Updates 18 and 19, and Exchange Server 2019 Cumulative Updates 7 and 8. Organizations are strongly encouraged to apply these patches as soon as possible (NVD).