CVE-2021-41349

MEDIUM EXPLOITED IN THE WILD NUCLEI

Microsoft Exchange Server - Spoofing

Title source: llm

Exploitation Summary

CVE-2021-41349 has been observed exploited in the wild (reported by VulnCheck KEV, InTheWild.io). EIP tracks 2 public exploits from researchers including 0xrobiul. A Nuclei detection template is also available.

AI-analyzed exploit summary This repository provides a writeup and steps to reproduce CVE-2021-41349, a Microsoft Exchange Server spoofing vulnerability. It includes instructions for crafting a CSRF PoC and demonstrates the exploit via Burp Suite and a provided HTML file.

Description

Microsoft Exchange Server Spoofing Vulnerability

Exploits (2)

nomisec WRITEUP 5 stars

by 0xrobiul · client-side

https://github.com/0xrobiul/CVE-2021-41349

View Code ZIP pw:eip

This repository provides a writeup and steps to reproduce CVE-2021-41349, a Microsoft Exchange Server spoofing vulnerability. It includes instructions for crafting a CSRF PoC and demonstrates the exploit via Burp Suite and a provided HTML file.

Classification

Writeup 90%

Attack Type

Other

Complexity

Moderate

Reliability

Reliable

Target: Microsoft Exchange Server

No auth needed

Prerequisites: Access to Burp Suite or similar tool · Ability to craft and host a malicious HTML file · Target Microsoft Exchange Server instance

MITRE ATT&CK

T1189 - Drive-by Compromise T1190 - Exploit Public-Facing Application

devstral-2 · analyzed Feb 16, 2026 Full analysis →

inthewild WORKING POC

poc

https://github.com/exploit-io/cve-2021-41349

View Code ZIP pw:eip

This repository contains a functional exploit for CVE-2021-41349, a reflected XSS vulnerability in Microsoft Exchange. The Python script generates an HTML file that, when opened, submits a crafted form to the target Exchange server's autodiscover endpoint, triggering the XSS payload.

Classification

Working Poc 95%

Attack Type

Xss

Complexity

Trivial

Reliability

Reliable

Target: Microsoft Exchange Server

No auth needed

Prerequisites: Target Exchange server URL · Hosted JavaScript payload URL

MITRE ATT&CK

T1059.007 - JavaScript T1189 - Drive-by Compromise

devstral-2 · analyzed Feb 23, 2026 Full analysis →

Nuclei Templates (1)

Microsoft Exchange Server Pre-Auth POST Based Cross-Site Scripting

MEDIUMby rootxharsh,iamnoooob

Shodan: vuln:cve-2021-26855 || http.favicon.hash:1768726119 || http.title:"outlook" || cpe:"cpe:2.3:a:microsoft:exchange_server"

FOFA: title="outlook" || icon_hash=1768726119

References (1)

Core 1

Core References

Patch, Vendor Advisory x_refsource_misc

https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-41349

Scores

CVSS v3 6.5

EPSS 0.8999

EPSS Percentile 99.6%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N

Details

VulnCheck KEV 2022-05-31

InTheWild.io 2022-05-31

Status published

Products (3)

microsoft/exchange_server 2013 cumulative_update_23

microsoft/exchange_server 2016 cumulative_update_21 (2 CPE variants)

microsoft/exchange_server 2019 cumulative_update_10 (2 CPE variants)

Published Nov 10, 2021

Tracked Since Feb 18, 2026