ProxyShell Exchange Exploit Chain

ProxyShell — Exchange Server Pre-Auth RCE Chain

Chain of three vulnerabilities achieving remote code execution without authentication on Microsoft Exchange Server:

• CVE-2021-34473 — Pre-authentication path confusion allowing access to arbitrary backend Exchange endpoints by abusing the Autodiscover URL normalization.
• CVE-2021-34523 — Privilege escalation via Exchange PowerShell Remoting. The attacker impersonates an Exchange admin by manipulating the X-Rps-CAT token in the request.
• CVE-2021-31207 — Post-authentication arbitrary file write through the Export-Mailbox cmdlet, writing a webshell to a web-accessible directory.
• Exploitation Flow — Step-by-step guide: SSRF to access Exchange PowerShell backend, token manipulation for privilege escalation, mailbox creation, and webshell deployment.
• Detection — Indicators of compromise: IIS log patterns, suspicious mailbox creation events, and file system artifacts left by the exploitation chain.
• Affected Versions — Exchange Server 2013, 2016, and 2019 prior to the April/May 2021 cumulative updates. Includes version detection script.