12th October 2024

Microsoft Exchange Server Remote Code Execution Vulnerability – CVE-2021-26427

A critical security vulnerability with a CVSS 3.1 Score of 9.0 has been published in Microsoft Exchange Server that will cause remote code execution. The said security vulnerability allows to run code with Exchange Server application pool and Exchange Server server group accounts. This vulnerability applies to the versions listed below. Although no exploit has been detected regarding the published vulnerability, it is recommended to download the published patches via the relevant links in order not to damage the systems due to the criticality of the vulnerability.

Microsoft Exchange Server
Microsoft Exchange Server

 

Affected Systems

It has been stated that the following systems are affected;

  • Microsoft Exchange Server 2019 Cumulative Update 10
  • Microsoft Exchange Server 2016 Cumulative Update 21
  • Microsoft Exchange Server 2013 Cumulative Update 23
  • Microsoft Exchange Server 2019 Cumulative Update 11
  • Microsoft Exchange Server 2016 Cumulative Update 22

Solution and CVE/CWE

It is recommended to install the updates specified in the table below.

CVE/CWE: CVE-2021-26427

Product Article Security Patch
Microsoft Exchange Server 2019 Cumulative Update 10 5007012 Security Update
Microsoft Exchange Server 2016 Cumulative Update 21 5007012 Security Update
Microsoft Exchange Server 2013 Cumulative Update 23 5007011 Security Update
Microsoft Exchange Server 2019 Cumulative Update 11 5007012 Security Update
Microsoft Exchange Server 2016 Cumulative Update 22 5007012 Security Update

Note: A CVSS score of 3.1 (out of 10) of 7.0-8.9 is considered “high”, and 9.0-10.0 is considered a “critical” vulnerability.

Reference:

https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-26427
https://nvd.nist.gov/vuln/detail/CVE-2021-26427

LEARN MORE  Critical Vulnerability in VMware ESXi "Disks Can Be Encrypted"

Leave a Reply

Your email address will not be published. Required fields are marked *