Microsoft Exchange Server
Microsoft Exchange Server is an on-premises email and collaboration platform found in enterprise networks. Exchange has been one of the most targeted server products for exploitation, with several critical vulnerability chains disclosed between 2021 and 2023. Organizations running Exchange on-premises are strongly recommended to maintain current Cumulative Update (CU) levels.
Querying Exchange Server
microsoft_exchange15.2.986.5, 15.1.2507.21curl "https://api.attestd.io/v1/check?product=microsoft_exchange&version=15.2.986.5" \
-H "Authorization: Bearer $ATTESTD_KEY"Exchange Server version numbering uses a four-part build string. Exchange 2019 CU10 corresponds to build 15.2.986. Use the full four-part build number for the most accurate range matching. The value is reported by the Exchange Admin Center or Get-ExchangeDiagnosticInfo.
{
"product": "microsoft_exchange",
"version": "15.2.986.5",
"supported": true,
"risk_state": "critical",
"risk_factors": [
"active_exploitation",
"remote_code_execution",
"no_authentication_required",
"internet_exposed_service",
"patch_available"
],
"actively_exploited": true,
"remote_exploitable": true,
"authentication_required": false,
"patch_available": true,
"fixed_version": "15.2.1118.7",
"confidence": 0.87,
"cve_ids": ["CVE-2021-26855", "CVE-2021-26857", "CVE-2021-27065"],
"last_updated": "2026-02-23T18:21:30Z"
}CU notation and build numbers
Exchange uses two version naming conventions that appear in different contexts:
| Format | Example | Notes |
|---|---|---|
| Marketing name | Exchange 2019 CU14 | Used in documentation and release notes |
| Build number | 15.2.1544.4 | Used in NVD version ranges; preferred for API queries |
Attestd normalizes CU notation (e.g. CU14 becomes .14), but supplying the four-part build number directly produces the most reliable result because NVD version ranges use build numbers.
CVE history
Exchange has seen three significant vulnerability chains since 2021, each involving multiple CVEs that combine to allow pre-authentication remote code execution. All three chains were actively exploited before patches were fully deployed across the installed base.
| CVE | Description | Severity |
|---|---|---|
CVE-2021-26855KEV | Server-side request forgery allows an unauthenticated attacker to bypass authentication and impersonate any user including admins. The authentication bypass in this CVE is typically the entry point for the ProxyLogon chain. | 9.8 |
CVE-2021-26857KEV | Insecure deserialization in the Unified Messaging service allows code execution as SYSTEM. Combined with CVE-2021-26855 for a full pre-auth RCE chain. | 7.8 |
CVE-2021-27065KEV | Arbitrary file write via the Exchange Control Panel. Post-authentication path used to write a web shell to disk after abusing the auth bypass in CVE-2021-26855. | 7.8 |
CVE-2021-34473KEV | ACL bypass via URL normalization. Allows access to the Exchange backend endpoint without proper authorization, forming the authentication bypass component of ProxyShell. | 9.8 |
CVE-2022-41040KEV | Server-side request forgery that allows an authenticated attacker to reach Exchange backend endpoints. Combined with CVE-2022-41082 for post-authentication RCE. Exploited before patch release. | 8.8 |
CVE-2022-41082KEV | Remote code execution via PowerShell when an attacker can reach the backend Exchange endpoint. Requires authentication, typically obtained via CVE-2022-41040. | 8.8 |
KEV = CISA Known Exploited Vulnerabilities catalog. Active exploitation confirmed.