What is CVE-2021-31206?

CVE-2021-31206 is a vulnerability that allows network-adjacent attackers to execute arbitrary code on affected installations of Microsoft Exchange Server.

Is user interaction required to exploit CVE-2021-31206?

Yes, user interaction is required to exploit this vulnerability.

How does the vulnerability in CVE-2021-31206 occur?

The vulnerability in CVE-2021-31206 occurs within the parsing of CAB files.

Which products are affected by CVE-2021-31206?

Microsoft Exchange Server 2013 (Cumulative Update 23), Microsoft Exchange Server 2016 (Cumulative Update 20 and Cumulative Update 21), and Microsoft Exchange Server 2019 (Cumulative Update 9 and Cumulative Update 10) are affected by CVE-2021-31206.

What is the severity of CVE-2021-31206?

CVE-2021-31206 has a severity score of 8, which is considered high.

How can I fix CVE-2021-31206?

To fix CVE-2021-31206, apply the relevant security updates provided by Microsoft.

Where can I find more information about CVE-2021-31206?

You can find more information about CVE-2021-31206 on the Microsoft Security Response Center website and the Zero Day Initiative website.

Vulnerability/
CVE-2021-31206

high

14/7/2021

16/1/2024

3/8/2024

CVE-2021-31206: (Pwn2Own) Microsoft Exchange Server CabUtility ExtractCab Directory Traversal Remote Code Execution Vulnerability

First published: Wed Jul 14 2021(Updated: )

Microsoft Exchange Server Remote Code Execution Vulnerability

Credit: secure@microsoft.com secure@microsoft.com

Affected Software	Affected Version	How to fix
	=2013-cumulative_update_23
	=2016-cumulative_update_20
	=2016-cumulative_update_21
	=2019-cumulative_update_10
	=2019-cumulative_update_9
Microsoft Exchange Server	=2013-cumulative_update_23
Microsoft Exchange Server	=2016-cumulative_update_20
Microsoft Exchange Server	=2016-cumulative_update_21
Microsoft Exchange Server	=2019-cumulative_update_10
Microsoft Exchange Server	=2019-cumulative_update_9

Remedy

https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-31206

Never miss a vulnerability like this again

Reference Links

Frequently Asked Questions

What is CVE-2021-31206?
CVE-2021-31206 is a vulnerability that allows network-adjacent attackers to execute arbitrary code on affected installations of Microsoft Exchange Server.
Is user interaction required to exploit CVE-2021-31206?
Yes, user interaction is required to exploit this vulnerability.
How does the vulnerability in CVE-2021-31206 occur?
The vulnerability in CVE-2021-31206 occurs within the parsing of CAB files.
Which products are affected by CVE-2021-31206?
Microsoft Exchange Server 2013 (Cumulative Update 23), Microsoft Exchange Server 2016 (Cumulative Update 20 and Cumulative Update 21), and Microsoft Exchange Server 2019 (Cumulative Update 9 and Cumulative Update 10) are affected by CVE-2021-31206.
What is the severity of CVE-2021-31206?
CVE-2021-31206 has a severity score of 8, which is considered high.
How can I fix CVE-2021-31206?
To fix CVE-2021-31206, apply the relevant security updates provided by Microsoft.
Where can I find more information about CVE-2021-31206?
You can find more information about CVE-2021-31206 on the Microsoft Security Response Center website and the Zero Day Initiative website.

agent/type
agent/last-modified-date
agent/first-publish-date
agent/author
agent/softwarecombine
collector/zdi-advisory
source/ZDI
alias/ZDI-21-826
alias/ZDI-CAN-13595
alias/CVE-2021-31206
agent/software-canonical-lookup
agent/title
agent/remedy
agent/references
agent/severity
agent/description
agent/event
collector/nvd-api
source/NVD
agent/software-canonical-lookup-request
collector/nvd-index
agent/tags
collector/mitre-cve
source/MITRE
vendor/microsoft
canonical/microsoft exchange
canonical/microsoft exchange server
version/microsoft exchange server/2013-cumulative_update_23
version/microsoft exchange server/2016-cumulative_update_20
version/microsoft exchange server/2016-cumulative_update_21
version/microsoft exchange server/2019-cumulative_update_10
version/microsoft exchange server/2019-cumulative_update_9