CVE-2021-33766

Microsoft Exchange Server Information Disclosure Vulnerability

Basic Information

CVE State: PUBLISHED
Reserved Date: May 28, 2021
Published Date: July 14, 2021
Last Updated: February 04, 2025
Vendor: Microsoft
Product: Microsoft Exchange Server 2019 Cumulative Update 9, Microsoft Exchange Server 2016 Cumulative Update 20, Microsoft Exchange Server 2013 Cumulative Update 23, Microsoft Exchange Server 2016 Cumulative Update 19, Microsoft Exchange Server 2019 Cumulative Update 8
Description: Microsoft Exchange Server Information Disclosure Vulnerability

CVSS Scores

CVSS v3.1

7.3 - HIGH

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:U/RL:O/RC:C

SSVC Information

Exploitation: active
Automatable: Yes
Technical Impact: partial

Exploit Status

Exploited in the Wild: Yes (added 2022-01-18 00:00:00 UTC) Source
Proof of Concept Available: Yes (added 2021-09-15 09:09:20 UTC) Source

References

https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-33766 https://www.zerodayinitiative.com/advisories/ZDI-21-798/

Known Exploited Vulnerability Information

Source	Added Date
CISA	2022-01-18 00:00:00 UTC

Potential Proof of Concepts

Warning: These PoCs have not been tested and could contain malware. Use at your own risk.

demossl/CVE-2021-33766-ProxyToken

Type: github • Created: 2021-09-15 09:09:20 UTC • Stars: 10

CVE-2021-33766-poc

bhdresh/CVE-2021-33766

Type: github • Created: 2021-08-31 22:03:13 UTC • Stars: 47

ProxyToken (CVE-2021-33766) : An Authentication Bypass in Microsoft Exchange Server POC exploit