CVE-2021-34470

HIGH EXPLOITED

Microsoft Exchange Server - Privilege Escalation

Title source: llm

Exploitation Summary

CVE-2021-34470 has been observed exploited in the wild (reported by VulnCheck KEV). EIP tracks 2 public exploits from researchers including technion, tmenochet.

AI-analyzed exploit summary The repository contains a PowerShell script that scans for CVE-2021-34470 by checking the Exchange Server schema version in Active Directory. It does not exploit the vulnerability but detects vulnerable versions of Exchange Server 2016 and 2019.

Description

Microsoft Exchange Server Elevation of Privilege Vulnerability

Exploits (2)

nomisec SCANNER 2 stars

by technion · infoleak

https://github.com/technion/CVE-2021-34470scanner

View Code ZIP pw:eip

The repository contains a PowerShell script that scans for CVE-2021-34470 by checking the Exchange Server schema version in Active Directory. It does not exploit the vulnerability but detects vulnerable versions of Exchange Server 2016 and 2019.

Classification

Scanner 95%

Attack Type

Info Leak

Complexity

Trivial

Reliability

Reliable

Target: Microsoft Exchange Server 2016 (CU17-CU20), Microsoft Exchange Server 2019 (CU9 and earlier)

Auth required

Prerequisites: Access to Active Directory with sufficient permissions to query schema objects

MITRE ATT&CK

T1087.002 - Domain Account

devstral-2 · analyzed Feb 18, 2026 Full analysis →

patchapalooza WORKING POC

by tmenochet · remote-auth

https://github.com/tmenochet/ADTamper

View Code ZIP pw:eip

This repository contains a PowerShell script that exploits CVE-2021-34470, a vulnerability in Active Directory allowing unauthorized creation of user or computer accounts. The script leverages LDAP operations to create rogue accounts under the context of a compromised computer account.

Classification

Working Poc 95%

Attack Type

Auth Bypass

Complexity

Moderate

Reliability

Reliable

Target: Microsoft Active Directory (Exchange Server)

Auth required

Prerequisites: Access to a domain-joined machine with a computer account · LDAP connectivity to a domain controller

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1078 - Valid Accounts

devstral-2 · analyzed Feb 23, 2026 Full analysis →

References (2)

Core 2

Core References

Patch, Vendor Advisory x_refsource_misc

https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-34470

Third Party Advisory, VDB Entry x_refsource_misc

http://packetstormsecurity.com/files/163706/Microsoft-Exchange-AD-Schema-Misconfiguration-Privilege-Escalation.html

Scores

CVSS v3 8.0

EPSS 0.0373

EPSS Percentile 88.3%

Attack Vector ADJACENT_NETWORK

CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment

Exploitation poc

Automatable no

Technical Impact total

Details

VulnCheck KEV 2022-09-14

Status published

Products (3)

microsoft/exchange_server 2013 cumulative_update_23

microsoft/exchange_server 2016 cumulative_update_21

microsoft/exchange_server 2019 cumulative_update_10

Published Jul 14, 2021

Tracked Since Feb 18, 2026