Microsoft Exchange Server Remote Code Execution Vulnerability
Conclusion & alert: CVE-2021-26857 is rated Critical Active Threat (96.1/100): CVSS High severity, with high exploitation likelihood (EPSS 94.01%, 100th percentile). Core evidence: CISA KEV confirms active exploitation (added 2021-11-03) affecting Microsoft / Exchange Server. a weakness (CWE-502) Unauthenticated remote administrative access may be possible. EPSS rose +54.60% over the last day, indicating growing attacker interest. Mandatory action: The CISA remediation deadline has passed—treat as an emergency patch priority.
Risk is dynamic; we continuously reassess and refresh what is shown on this page as upstream context changes.
: Microsoft Exchange Server Remote Code Execution Vulnerability · CISA KEV detail
: 2021-11-03
: 2022-05-03
: Apply updates per vendor instructions.
EPSS lead: Daily EPSS estimates relative likelihood of exploitation; percentile ranks this CVE among scored vulnerabilities (higher = more severe relative rank).
| # | Date | Old EPSS score | New EPSS score | Delta (New - Old) |
|---|---|---|---|---|
| 1 | 2026-06-15 | 39.41% | 94.01% | +54.60% |
| 2 | 2026-06-14 | 40.51% | 39.41% | -1.10% |
| 3 | 2026-06-10 | — | 40.51% | — |
Full EPSS history (149 records total)
CVSS metrics for this CVE.
| Base score | Version | Severity | Vector | Exploitability | Impact | Score source |
|---|---|---|---|---|---|---|
| 7.8 | 3.1 | HIGH |
|
1.8 | 5.9 | [email protected] |
| 7.8 | 3.1 | HIGH |
|
1.8 | 5.9 | [email protected] |
| 6.8 | 2.0 | MEDIUM |
|
8.6 | 6.4 | [email protected] |
| Vendor | Product | Version | Raw CPE |
|---|---|---|---|
| microsoft | exchange_server | 2010 | cpe:2.3:a:microsoft:exchange_server:2010:sp3:*:*:*:*:*:* |
| microsoft | exchange_server | 2013 | cpe:2.3:a:microsoft:exchange_server:2013:cumulative_update_22:*:*:*:*:*:* |
| microsoft | exchange_server | 2013 | cpe:2.3:a:microsoft:exchange_server:2013:cumulative_update_23:*:*:*:*:*:* |
| microsoft | exchange_server | 2013 | cpe:2.3:a:microsoft:exchange_server:2013:sp1:*:*:*:*:*:* |
| microsoft | exchange_server | 2016 | cpe:2.3:a:microsoft:exchange_server:2016:cumulative_update_10:*:*:*:*:*:* |
| microsoft | exchange_server | 2016 | cpe:2.3:a:microsoft:exchange_server:2016:cumulative_update_11:*:*:*:*:*:* |
| microsoft | exchange_server | 2016 | cpe:2.3:a:microsoft:exchange_server:2016:cumulative_update_12:*:*:*:*:*:* |
| microsoft | exchange_server | 2016 | cpe:2.3:a:microsoft:exchange_server:2016:cumulative_update_13:*:*:*:*:*:* |
| microsoft | exchange_server | 2016 | cpe:2.3:a:microsoft:exchange_server:2016:cumulative_update_14:*:*:*:*:*:* |
| microsoft | exchange_server | 2016 | cpe:2.3:a:microsoft:exchange_server:2016:cumulative_update_15:*:*:*:*:*:* |
| microsoft | exchange_server | 2016 | cpe:2.3:a:microsoft:exchange_server:2016:cumulative_update_16:*:*:*:*:*:* |
| microsoft | exchange_server | 2016 | cpe:2.3:a:microsoft:exchange_server:2016:cumulative_update_17:*:*:*:*:*:* |
| microsoft | exchange_server | 2016 | cpe:2.3:a:microsoft:exchange_server:2016:cumulative_update_18:*:*:*:*:*:* |
| microsoft | exchange_server | 2016 | cpe:2.3:a:microsoft:exchange_server:2016:cumulative_update_19:*:*:*:*:*:* |
| microsoft | exchange_server | 2016 | cpe:2.3:a:microsoft:exchange_server:2016:cumulative_update_8:*:*:*:*:*:* |
| microsoft | exchange_server | 2016 | cpe:2.3:a:microsoft:exchange_server:2016:cumulative_update_9:*:*:*:*:*:* |
| microsoft | exchange_server | 2019 | cpe:2.3:a:microsoft:exchange_server:2019:-:*:*:*:*:*:* |
| microsoft | exchange_server | 2019 | cpe:2.3:a:microsoft:exchange_server:2019:cumulative_update_1:*:*:*:*:*:* |
| microsoft | exchange_server | 2019 | cpe:2.3:a:microsoft:exchange_server:2019:cumulative_update_2:*:*:*:*:*:* |
| microsoft | exchange_server | 2019 | cpe:2.3:a:microsoft:exchange_server:2019:cumulative_update_3:*:*:*:*:*:* |
| microsoft | exchange_server | 2019 | cpe:2.3:a:microsoft:exchange_server:2019:cumulative_update_4:*:*:*:*:*:* |
| microsoft | exchange_server | 2019 | cpe:2.3:a:microsoft:exchange_server:2019:cumulative_update_5:*:*:*:*:*:* |
| microsoft | exchange_server | 2019 | cpe:2.3:a:microsoft:exchange_server:2019:cumulative_update_6:*:*:*:*:*:* |
| microsoft | exchange_server | 2019 | cpe:2.3:a:microsoft:exchange_server:2019:cumulative_update_7:*:*:*:*:*:* |
| microsoft | exchange_server | 2019 | cpe:2.3:a:microsoft:exchange_server:2019:cumulative_update_8:*:*:*:*:*:* |
| URL | Tags |
|---|---|
| https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-26857 | Patch Vendor Advisory |
| https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2021-26857 | US Government Resource |