CVE-2021-42321

HIGH KEV RANSOMWARE

Microsoft Exchange Server - Remote Code Execution

Title source: llm
STIX 2.1

Exploitation Summary

CVE-2021-42321 is actively exploited and listed in the CISA Known Exploited Vulnerabilities (KEV) catalog, added November 17, 2021, with confirmed use in ransomware campaigns. EIP tracks 4 public exploits from researchers including DarkSprings, 7BitsTeam, FDlucifer.

AI-analyzed exploit summary This PoC exploits CVE-2021-42321, a deserialization vulnerability in Microsoft Exchange Server, by sending a malicious SOAP request with a crafted gadget chain to achieve remote code execution (RCE). The exploit leverages the Exchange Web Services (EWS) endpoint to trigger the vulnerability.

Description

Microsoft Exchange Server Remote Code Execution Vulnerability

Exploits (4)

nomisec WORKING POC 85 stars
by DarkSprings · remote-auth
https://github.com/DarkSprings/CVE-2021-42321

This PoC exploits CVE-2021-42321, a deserialization vulnerability in Microsoft Exchange Server, by sending a malicious SOAP request with a crafted gadget chain to achieve remote code execution (RCE). The exploit leverages the Exchange Web Services (EWS) endpoint to trigger the vulnerability.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Microsoft Exchange Server 2013, 2016, 2019
Auth required
Prerequisites: Valid credentials for Exchange Server · Network access to the EWS endpoint
devstral-2 · analyzed Feb 16, 2026 Full analysis →
nomisec WORKING POC 10 stars
by 7BitsTeam · poc
https://github.com/7BitsTeam/exch_CVE-2021-42321

This is a proof-of-concept exploit for CVE-2021-42321, a .NET deserialization vulnerability. It generates a malicious payload using the TypeConfuseDelegate gadget to achieve remote code execution by bypassing Windows Defender restrictions.

Classification
Working Poc 95%
Attack Type
Deserialization
Complexity
Moderate
Reliability
Reliable
Target: .NET applications using BinaryFormatter, NetDataContractSerializer, or LosFormatter
No auth needed
Prerequisites: Vulnerable .NET application with deserialization of untrusted data
devstral-2 · analyzed Feb 16, 2026 Full analysis →
patchapalooza WORKING POC
by FDlucifer · remote-auth
https://github.com/FDlucifer/Proxy-Attackchain

This repository contains a functional exploit for CVE-2018-8581, which targets Microsoft Exchange Server. The exploit leverages NTLM relaying to escalate privileges by adding a delegate to a target user's mailbox, allowing unauthorized access to emails.

Classification
Working Poc 95%
Attack Type
Auth Bypass
Complexity
Moderate
Reliability
Reliable
Target: Microsoft Exchange Server (2010 SP1/SP2/SP3, 2013, 2016)
Auth required
Prerequisites: Valid credentials for an Exchange user · Network access to the Exchange server · NTLM relay setup
devstral-2 · analyzed Feb 23, 2026 Full analysis →
patchapalooza WORKING POC
by tntsec · poc
https://gitee.com/tntsec/CVE-2021-42321

This repository contains a functional Python exploit for CVE-2021-42321, a deserialization vulnerability in Microsoft Exchange Server. The PoC leverages crafted SOAP requests to manipulate user configurations and trigger remote code execution via a gadget chain.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Microsoft Exchange Server
Auth required
Prerequisites: valid Exchange credentials · network access to EWS endpoint
devstral-2 · analyzed Feb 23, 2026 Full analysis →

References (4)

Core 4

Scores

CVSS v3 8.8
EPSS 0.9362
EPSS Percentile 99.8%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment
Exploitation active
Automatable no
Technical Impact total

Details

CISA KEV 2021-11-17
VulnCheck KEV 2021-11-09
InTheWild.io 2021-11-09
ENISA EUVD EUVD-2021-29296
Ransomware Use Confirmed
Status published
Products (2)
microsoft/exchange_server 2016 cumulative_update_21 (2 CPE variants)
microsoft/exchange_server 2019 cumulative_update_10 (2 CPE variants)
Published Nov 10, 2021
KEV Added Nov 17, 2021
Tracked Since Feb 18, 2026