ProxyShell Exchange RCE Chain Remains a High-Risk Path to Server Compromise
CVE-2021-34473 remains a critical entry point in the ProxyShell attack chain against Microsoft Exchange Server, enabling unauthenticated attackers to exploit improper URL normalization and SSRF behavior in the Client Access Service and autodiscover components. Security reporting and public tooling show the flaw can be chained with CVE-2021-34523 and CVE-2021-31207 to reach privileged backend services, access Exchange PowerShell, deploy webshells, read mailboxes, exfiltrate email, and move laterally across victim environments. The vulnerability has been actively exploited in the wild and is listed in CISA's Known Exploited Vulnerabilities catalog, with affected builds including Exchange Server 2013 CU23, Exchange Server 2016 CU19/CU20, and Exchange Server 2019 CU8/CU9.
Public exploit resources, including GitHub-hosted scripts and scanning templates, continue to lower the barrier to exploitation by documenting attack paths and automating discovery of exposed systems. Researchers originally tied the issue set to Orange Tsai's work, and defenders are being urged to apply Microsoft's security updates, hunt for indicators such as suspicious autodiscover requests and webshells, monitor for PowerShell launched by w3wp.exe, and reduce risk by limiting external exposure of Exchange services. A separate Synacktiv report on newer Windows authentication reflection flaws highlights how incomplete mitigations can leave relay and privilege-escalation paths open, reinforcing concern that exposed Microsoft infrastructure remains vulnerable when patching and hardening are delayed.
Timeline
Apr 27, 2026
Synacktiv discloses bypass research tied to CVE-2025-33073 mitigations
Synacktiv published research showing Microsoft's fix for CVE-2025-33073 addressed one SMB delivery path but not the broader reflection problem, and detailed how this work led to the discovery of CVE-2026-24294.
Mar 4, 2026
CVE-2021-34473 is recognized as actively exploited in the wild
Security reporting later noted that CVE-2021-34473 had been actively exploited and included in CISA's Known Exploited Vulnerabilities Catalog, reflecting confirmed real-world abuse of the ProxyShell chain.
Mar 1, 2026
Microsoft patches CVE-2026-24294 in March 2026
Microsoft patched CVE-2026-24294, a local privilege escalation issue discovered during research into bypassing mitigations for CVE-2025-33073. The flaw abused SMB connections on arbitrary TCP ports to enable local NTLM reflection on affected systems.
Jun 30, 2022
ProxyShell exploitation tooling and scanning templates become public
Public exploit resources for ProxyShell, including Python scripts and a Nuclei scanning template, were made available, lowering the barrier to exploitation of vulnerable Exchange servers.
Jul 1, 2021
Microsoft releases security updates for CVE-2021-34473
Microsoft issued security updates for the Exchange Server SSRF vulnerability CVE-2021-34473, which affects Exchange 2013, 2016, and 2019 and can enable unauthenticated access to privileged backend services.
Jan 1, 2021
Orange Tsai discovers the ProxyShell vulnerability chain
Orange Tsai identified the set of Microsoft Exchange flaws later known as ProxyShell, centered on CVE-2021-34473 and chainable with CVE-2021-34523 and CVE-2021-31207 for deeper compromise.
See the full picture in Mallory
Mallory subscribers get deeper analysis on every story, including:
Who’s affected and how
Deep-dive technical analysis
Actionable next steps for your team
IPs, domains, hashes, and more
Ask questions and take action on every story
Filter by topic, classification, timeframe
Get matching stories delivered automatically
Related Entities
Vulnerabilities
Organizations
Sources
Related Stories
Active Exploitation of WSUS Vulnerability and Urgent Security Guidance for Microsoft Exchange and WSUS Servers
Cybersecurity authorities including CISA and NSA, in collaboration with international partners, have issued urgent guidance to secure on-premise Microsoft Exchange Server and Windows Server Update Services (WSUS) instances. The recommendations emphasize restricting administrative access, enforcing multi-factor authentication, maintaining strict security baselines, and decommissioning end-of-life servers to mitigate ongoing threats. Organizations are urged to apply security updates promptly, enable advanced security features, and adopt zero trust principles to defend against persistent malicious activity targeting these critical Microsoft services. Simultaneously, a newly disclosed vulnerability in WSUS, tracked as CVE-2025-59287, is being actively exploited by cybercriminals to deploy the Skuld Stealer malware. Despite Microsoft's initial and subsequent out-of-band patches, attackers have leveraged the flaw to gain remote control over WSUS servers, using legitimate tools like PowerShell and cURL for malicious purposes. The exploitation prompted CISA to add the vulnerability to its list of known exploited vulnerabilities, underscoring the urgency for organizations to implement the latest security updates and follow best practices to protect their infrastructure.
1 months ago
China-Aligned Shadow-Earth-053 Breached Exchange Servers for Long-Term Espionage
Trend Micro disclosed that the China-aligned cluster **SHADOW-EARTH-053** compromised more than a dozen organizations in at least eight countries by exploiting vulnerable Microsoft Exchange and IIS servers, including the `ProxyLogon` chain, then deploying **GODZILLA** web shells and the **ShadowPad** backdoor to maintain access. Victims included government agencies, defense contractors, technology firms, transportation organizations, and at least one target in Poland, with activity observed from December 2024 through April 2026. Researchers said the intrusions resemble broader Chinese state-linked operations such as Salt Typhoon and Volt Typhoon and may support long-term espionage, prepositioning, and potential future disruption. Post-compromise activity included DLL sideloading with a renamed Toshiba Bluetooth Stack executable, registry-resident shellcode execution via `EnumDesktopsA` callback injection, scheduled-task persistence, mailbox collection from Exchange, credential theft, and lateral movement using tools such as **IOX**, **GOST**, **Wstunnel**, **Sharp-SMBExec**, **Mimikatz**, and **Evil-CreateDump**. Trend Micro also identified overlap with a related cluster, **SHADOW-EARTH-054**, including shared tool hashes, reused vulnerabilities, and compromises at some of the same organizations, although the company assessed the relationship as overlapping exploitation rather than clearly coordinated operations. Defenders were urged to patch Exchange and IIS systems quickly and review IIS worker process activity, web-shell indicators, and other signs of stealthy post-exploitation.
2 days ago
Remote Code Execution Vulnerabilities in Microsoft Update Services Exploited
A critical remote code execution (RCE) vulnerability was discovered in Microsoft's Update Health Tools (KB4023057), a utility designed to facilitate rapid security updates via Intune. Researchers found that a misconfiguration involving abandoned Azure blob storage allowed attackers to register a storage account and receive requests from vulnerable devices worldwide, enabling arbitrary code execution. Microsoft has since responded to the disclosure, and newer versions of the tool have addressed the issue, but devices running the original version remain at risk if not updated. Separately, a remote code execution vulnerability in Microsoft Windows Server Update Services (WSUS), tracked as CVE-2025-59287, was actively exploited by threat actors to deploy the ShadowPad backdoor malware. Attackers leveraged this flaw to gain system-level access using PowerCat and subsequently installed ShadowPad via `certutil` and `curl`. The exploitation of these vulnerabilities highlights the risks associated with update management tools and the importance of timely patching and secure configuration to prevent compromise by advanced persistent threats.
1 months ago