CVE-2021-33766

HIGH KEV NUCLEI

Microsoft Exchange Server - Info Disclosure

Title source: llm
STIX 2.1

Exploitation Summary

CVE-2021-33766 is actively exploited and listed in the CISA Known Exploited Vulnerabilities (KEV) catalog, added January 18, 2022. EIP tracks 3 public exploits from researchers including bhdresh, demossl. A Nuclei detection template is also available.

AI-analyzed exploit summary This repository contains a functional bash script that exploits CVE-2021-33766 (ProxyToken), an authentication bypass vulnerability in Microsoft Exchange Server. The script can check for vulnerability and create malicious inbox rules by leveraging the SecurityToken cookie manipulation.

Description

Microsoft Exchange Server Information Disclosure Vulnerability

Exploits (3)

nomisec WORKING POC 49 stars
by bhdresh · poc
https://github.com/bhdresh/CVE-2021-33766

This repository contains a functional bash script that exploits CVE-2021-33766 (ProxyToken), an authentication bypass vulnerability in Microsoft Exchange Server. The script can check for vulnerability and create malicious inbox rules by leveraging the SecurityToken cookie manipulation.

Classification
Working Poc 95%
Attack Type
Auth Bypass
Complexity
Moderate
Reliability
Reliable
Target: Microsoft Exchange Server
No auth needed
Prerequisites: Access to the target Exchange server · Valid email addresses for victim and target
devstral-2 · analyzed Feb 18, 2026 Full analysis →
nomisec WORKING POC 11 stars
by demossl · remote
https://github.com/demossl/CVE-2021-33766-ProxyToken

This repository contains a functional exploit for CVE-2021-33766 (ProxyToken), an authentication bypass vulnerability in Microsoft Exchange Server. The script checks for the vulnerability and can modify email forwarding rules by exploiting the flaw.

Classification
Working Poc 95%
Attack Type
Auth Bypass
Complexity
Moderate
Reliability
Reliable
Target: Microsoft Exchange Server
No auth needed
Prerequisites: Network access to the target Exchange Server · Valid email domain for the target
devstral-2 · analyzed Feb 18, 2026 Full analysis →
patchapalooza WORKING POC
by bhdresh · remote
https://github.com/bhdresh/CVE-2021-33766-ProxyToken

The repository contains a functional bash script that exploits CVE-2021-33766 (ProxyToken), an authentication bypass vulnerability in Microsoft Exchange Server. The script can check for vulnerability and create malicious inbox rules by leveraging a crafted SecurityToken cookie.

Classification
Working Poc 95%
Attack Type
Auth Bypass
Complexity
Moderate
Reliability
Reliable
Target: Microsoft Exchange Server
No auth needed
Prerequisites: valid victim email address (for some modes) · network access to Exchange Server
devstral-2 · analyzed Feb 23, 2026 Full analysis →

Nuclei Templates (1)

Microsoft Exchange - Authentication Bypass
HIGHVERIFIEDby daffainfo
Shodan: vuln:cve-2021-26855 || http.favicon.hash:1768726119 || http.title:"outlook" || cpe:"cpe:2.3:a:microsoft:exchange_server"
FOFA: title="outlook" || icon_hash=1768726119

References (3)

Core 3

Scores

CVSS v3 7.3
EPSS 0.9375
EPSS Percentile 99.9%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L

CISA SSVC

Vulnrichment
Exploitation active
Automatable yes
Technical Impact partial

Details

CISA KEV 2022-01-18
VulnCheck KEV 2021-12-21
InTheWild.io 2021-12-21
ENISA EUVD EUVD-2021-20443
Status published
Products (3)
microsoft/exchange_server 2013 cumulative_update_23
microsoft/exchange_server 2016 cumulative_update_19 (2 CPE variants)
microsoft/exchange_server 2019 cumulative_update_8 (2 CPE variants)
Published Jul 14, 2021
KEV Added Jan 18, 2022
Tracked Since Feb 18, 2026