Advisory: 0-day RCE Vulnerability in Microsoft Exchange Actively Exploited by Threat Actors

November 19, 2021
min read
Category Vulnerability Intelligence
Vulnerability Class Remote Code Execution (RCE Vulnerability)
CVE ID CVE-2021-31206
CVSS:3.0 Score 7.6 High-Risk
Target Windows Server 2019/2016/2013
Reference *

Executive Summary

  • CVE-2021-31206 is an unauthenticated RCE vulnerability targeting MS Exchange servers that enable attackers to compromise Internet-facing instances.
  • The zero-day vulnerability is being actively exploited by threat actors to target Windows users.
  • This vulnerability can be exploited to run arbitrary code in the target system. However, it requires an authenticated user, in a specific exchange role, to be compromised.



Technical Details

  • CVE-2021-31206 is a flaw in the parsing of archive-file format for Microsoft Windows or CAB(Cabinet) files.
  • When handling filenames specified within a CAB file, the process does not properly validate a user-supplied path prior to using it in file operations.
  • An attacker can leverage this, in conjunction with other vulnerabilities, to execute arbitrary code in the context of SYSTEM.


Affected Platforms

Windows Platform Build Version
Windows Server  2013/ CU23/2016 CU20/2016 CU21/2019 CU10

Information from Cybercrime Forums

CloudSEK’s Threat Intelligence Research team has observed that the exploit code for this vulnerability is available with multiple threat actors and is being actively exploited by following threat groups:

  • Ransomware Operators
  • Advanced Persistent Threats
  • Access Brokers 

Sample activities of threat actors, especially access brokers, on underground forums, enquiring for a working exploit code for the vulnerability.

Darkweb post about CVE-2021-31206 - RCE vulnerability

Darkweb post about CVE-2021-31206 - RCE vulnerability

Impact & Mitigation


  • RCE vulnerabilities allow attackers to execute commands and gain control over victims’ systems. 
  • Attackers can use RCE in vulnerable Exchange servers to get initial access to internal networks. 
  • Attackers can then laterally move across internal networks to further the attack by deploying ransomware or by exfiltrating critical information. 


Patches for various Microsoft Exchange product versions were released on 13 July 2021: 

Product Article
Microsoft Exchange Server 2019 Cumulative Update 10 5004780
Microsoft Exchange Server 2016 Cumulative Update 21 5004779
Microsoft Exchange Server 2013 Cumulative Update 23 5004778
Microsoft Exchange Server 2016 Cumulative Update 20 5004779
Microsoft Exchange Server 2019 Cumulative Update 9 5004780


No items found.