The year on-premise Exchange became the most-attacked software on earth
ProxyLogon and ProxyShell turned 2021 into open season on Exchange Server. Two unauthenticated RCE chains, tens of thousands of web-shelled servers, an FBI operation to clean them up. If you still run Exchange on-prem, you're operating a permanent top-tier target.
In 2021, on-premise Microsoft Exchange Server became, for a stretch, the most-attacked software on the planet. Two unauthenticated remote-code-execution chains did it. In March, the ProxyLogon chain, CVE-2021-26855, CVE-2021-26857, CVE-2021-26858, and CVE-2021-27065, was used as a zero-day by the group Microsoft calls HAFNIUM and then by everyone else, web-shelling tens of thousands of Exchange servers worldwide; the situation was severe enough that the FBI obtained court authorization to remotely remove web shells from victim servers. In August, the ProxyShell chain, CVE-2021-34473, CVE-2021-34523, and CVE-2021-31207, repeated the pattern, feeding LockFile and Conti ransomware. Add the older CVE-2020-0688 and the later CVE-2021-42321, and the catalog holds a dense cluster of Exchange RCEs from a single brutal stretch.
The chains
- ProxyLogon (March 2021). CVE-2021-26855 is a server-side request forgery that bypasses authentication, the linchpin; chained with a deserialization bug (26857) and arbitrary file-write bugs (26858, 27065), it gave unauthenticated attackers code execution and a web shell on the server. HAFNIUM ran it as a zero-day, and once details emerged, mass exploitation was immediate and indiscriminate.
- ProxyShell (August 2021). Discovered by Orange Tsai and demonstrated at Pwn2Own, CVE-2021-34473 (an ACL/path-confusion bypass), CVE-2021-34523 (privilege escalation in the PowerShell backend), and CVE-2021-31207 (arbitrary file write) chain into unauthenticated RCE through the Autodiscover/PowerShell path. Ransomware crews adopted it fast.
- The supporting cast. CVE-2020-0688 (a static cryptographic key shipped in every Exchange install, enabling authenticated RCE) and CVE-2021-42321 (a post-auth deserialization RCE) round out the cluster.
Each of these is the same fundamental story: a path through Exchange’s web-facing components, OWA, Autodiscover, ECP, the PowerShell backend, that an attacker can reach without valid credentials, ending in code execution on a server that holds the organization’s email and sits trusted deep in Active Directory.
Why Exchange is a permanent top-tier target
On-premise Exchange combines every property attackers want: it’s internet-facing by necessity (it has to receive mail and serve webmail), it’s deeply integrated with Active Directory (the Exchange server is highly privileged in the domain), it holds the organization’s communications (and the password-reset emails that unlock everything else), and its codebase is large, old, and complex with a steady history of reachable web vulnerabilities. The result is that Exchange isn’t occasionally vulnerable; it’s perennially targeted, and the OWASSRF chain in late 2022 showed the targeting didn’t stop after 2021.
The strategic implication many organizations drew from 2021 is the durable one: if you can move to Exchange Online, you shift this entire patch-and-defend burden to Microsoft, and you stop running one of the most-attacked server products in existence on your own perimeter. For those who must keep Exchange on-prem, it demands emergency-grade patching and hardening, indefinitely.
What to do
- Patch Exchange immediately and stay current, every cycle. All of these were fixed years ago; the victims were the servers that lagged. Treat Exchange security updates as emergencies, not maintenance-window items, given the disclosure-to-mass-exploitation speed.
- Assume compromise on any Exchange server that was internet-facing and unpatched in 2021. ProxyLogon and ProxyShell left web shells at massive scale. Hunt for ASPX web shells in OWA/ECP directories, the Exchange/IIS worker spawning shells, and the post-exploitation that followed (credential theft, AD reconnaissance). Microsoft and CISA published detailed IOCs and scripts; run them even now if you’ve never checked.
- Reduce internet exposure. Front OWA and Autodiscover with additional controls, and minimize what’s reachable. Accelerate any plan to move off on-prem Exchange.
- Treat the Exchange server as tier-zero in AD. Its privileges in the domain mean a compromise is often a path to domain dominance; segment and monitor it accordingly.
The reframe is to stop treating each Exchange RCE as a surprise and start treating on-premise Exchange as what it demonstrably is: a permanent, top-priority target that attackers return to relentlessly. 2021 was the year that became undeniable, with two unauthenticated RCE chains and an FBI cleanup operation. Patch it on the attackers’ clock, hunt the servers that lagged, and seriously weigh whether you should still be running it on your own perimeter at all. We track the Exchange entries as one ongoing story, because for the threat actors, on-prem Exchange has been a single, reliable front door for years.
Sources
Share
Related field notes
-
A mitigation blocks a path. OWASSRF found another door.
After ProxyNotShell, Microsoft told Exchange admins to apply URL-rewrite mitigations while the patch was finished. OWASSRF (CVE-2022-41080) walked around them by knocking on OWA instead of Autodiscover, and Play ransomware walked in. Mitigations aren't fixes.
-
Microsoft titled it Spoofing. It's session hijacking.
CVE-2026-42897 is the first real test of Exchange Server Subscription Edition's new servicing model. Four days in, the answer is a mitigation that breaks four OWA features and an SU with no ship date.
-
BlueKeep: the wormable RDP bug Microsoft patched Windows XP for
CVE-2019-0708 was a pre-authentication, wormable RCE in Windows Remote Desktop. Microsoft was scared enough of a WannaCry repeat that it shipped patches for end-of-life XP and Server 2003. The worm never fully came, but the lesson did: RDP doesn't belong on the internet.
One email, every weekday morning.
You're in. Check your inbox.