CVE-2021-27065: 
vulnerability analysis and mitigation

Microsoft Exchange Server Remote Code Execution Vulnerability (CVE-2021-27065) is a post-authentication arbitrary file write vulnerability discovered in Microsoft Exchange Server. This vulnerability was part of the ProxyLogon exploit chain, which was actively exploited by the HAFNIUM threat group. The vulnerability was disclosed and patched in March 2021, affecting various versions of Microsoft Exchange Server including 2013, 2016, and 2019 (NVD).

The vulnerability allows an authenticated attacker to write files to any path on the affected Exchange server. Authentication could be achieved either by exploiting the CVE-2021-26855 SSRF vulnerability or by compromising legitimate admin credentials. The vulnerability has been assigned a CVSS v3.1 base score of 7.8 (High) with the vector string CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H, and a CVSS v2.0 base score of 6.8 (Medium) (NVD).

When successfully exploited, this vulnerability allows attackers to gain persistent system access and control of an enterprise network. The vulnerability can lead to compromise of integrity and confidentiality of agency information, particularly when combined with other vulnerabilities in the ProxyLogon chain (CISA).

Microsoft released security updates to address this vulnerability in March 2021. Organizations are required to apply the Microsoft patches immediately to affected Exchange Servers. CISA issued Emergency Directive 21-02 requiring federal agencies to update all on-premises Microsoft Exchange servers with the provided security updates (CISA).