ProxyShell (CVE-2021-34473 / 34523 / 31207)

ProxyShell is the three-CVE chain against Microsoft Exchange Server that became one of 2021's most-exploited RCE vectors.

Definition

ProxyShell is the disclosure name for a three-CVE Exchange Server exploitation chain: CVE-2021-34473 (server-side request forgery in Exchange's autodiscover), CVE-2021-34523 (privilege escalation via PowerShell), and CVE-2021-31207 (arbitrary file write via mailbox export). Chained together, an unauthenticated remote attacker reaches SYSTEM on an internet-facing Exchange server. The chain was disclosed at Black Hat 2021 and turned into mass exploitation within weeks.

Mitigation

Apply the May / July 2021 Exchange cumulative updates.

See also

References