CVE-2021-28480

CRITICAL NUCLEI

Microsoft Exchange Server - Remote Code Execution

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 3 public exploits for CVE-2021-28480. PoCs published by ZephrFish, Threonic. A Nuclei detection template is also available.

AI-analyzed exploit summary The repository claims to be a PoC for CVE-2021-28480 but is actually a honeypot designed to trick users into running a destructive script. The exploit.sh file contains a fake exploit that attempts to delete the root filesystem and includes misleading comments about NX bypasses.

Description

Microsoft Exchange Server Remote Code Execution Vulnerability

Exploits (3)

nomisec TROJAN 10 stars
by ZephrFish · poc
https://github.com/ZephrFish/CVE-2021-28480_HoneyPoC3

The repository claims to be a PoC for CVE-2021-28480 but is actually a honeypot designed to trick users into running a destructive script. The exploit.sh file contains a fake exploit that attempts to delete the root filesystem and includes misleading comments about NX bypasses.

Classification
Trojan 100%
Attack Type
Other
Complexity
Trivial
Reliability
Theoretical
Target: Microsoft Exchange Server
No auth needed
Prerequisites: user execution of the script
devstral-2 · analyzed Feb 18, 2026 Full analysis →
nomisec STUB
by Threonic · poc
https://github.com/Threonic/CVE-2021-28480

The repository contains only a README.md file with a CVE identifier and no additional content, technical details, or exploit code. It appears to be a placeholder or stub repository.

Classification
Stub 100%
Attack Type
Other
Complexity
Trivial
Reliability
Theoretical
Target: unknown
No auth needed
devstral-2 · analyzed Feb 18, 2026 Full analysis →
inthewild TROJAN
poc
https://github.com/zephrfish/exchangerce-cve-2021-28480

The repository claims to be a PoC for CVE-2021-28480 but is actually a honeypot designed to deceive users. The script contains harmful commands (e.g., `rm -rvf /* --no-preserve-root`) and misleading lyrics instead of functional exploit code.

Classification
Trojan 100%
Attack Type
Other
Complexity
Trivial
Reliability
Theoretical
Target: Microsoft Exchange Server
No auth needed
Prerequisites: none
devstral-2 · analyzed Feb 23, 2026 Full analysis →

Nuclei Templates (1)

Microsoft Exchange - Pre-Auth SSRF / ACL Bypass (ProxyNotFound)
CRITICALby daffainfo
Shodan: http.favicon.hash:1768726119 || http.title:"outlook" || cpe:"cpe:2.3:a:microsoft:exchange_server"
FOFA: title="outlook" || icon_hash=1768726119

References (1)

Core 1
Core References

Scores

CVSS v3 9.8
EPSS 0.8714
EPSS Percentile 99.5%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Details

Status published
Products (3)
microsoft/exchange_server 2013 cumulative_update_23
microsoft/exchange_server 2016 cumulative_update_19 (2 CPE variants)
microsoft/exchange_server 2019 cumulative_update_8 (2 CPE variants)
Published Apr 13, 2021
Tracked Since Feb 18, 2026