Microsoft Exchange Server SSRF (ProxyLogon) — cited in 2026-05-16 § 5 deep dive Background as precedent for on-prem Exchange exploitation pattern
cve · CVE-2021-26855
Coverage timeline
1
first 2026-05-16 → last 2026-05-16
Briefs
1
1 distinct
Sources cited
78
38 hosts
Sections touched
0
—
Co-occurring entities
0
no co-occurrence
Story timeline
- 2026-05-16CTI Daily Brief — 2026-05-16
Source distribution
- attack.mitre.org12 (15%)
- microsoft.com9 (12%)
- github.com5 (6%)
- thehackernews.com4 (5%)
- bleepingcomputer.com3 (4%)
- helpnetsecurity.com3 (4%)
- security-hub.ncsc.admin.ch3 (4%)
- theregister.com3 (4%)
- other36 (46%)
External references
All cited sources (78)
- microsoft.comprimaryinlineMicrosoft Threat Intelligence, 2021-03-02https://www.microsoft.com/en-us/security/blog/2021/03/02/hafnium-targeting-exchange-servers/
- microsoft.comprimaryinlineMicrosoft Security Blog, 2026-05-01https://www.microsoft.com/en-us/security/blog/2026/05/01/cve-2026-31431-copy-fail-vulnerability-enables-linux-root-privilege-escalation/
- microsoft.comprimaryinlineMicrosoft Security Blog 2026-05-04https://www.microsoft.com/en-us/security/blog/2026/05/04/breaking-the-code-multi-stage-code-of-conduct-phishing-campaign-leads-to-aitm-token-compromise/
- microsoft.comprimaryinlineMicrosoft Security Blog, 2026-05-06https://www.microsoft.com/en-us/security/blog/2026/05/06/clickfix-campaign-uses-fake-macos-utilities-lures-deliver-infostealers/
- microsoft.comprimaryinlineMicrosoft Security Bloghttps://www.microsoft.com/en-us/security/blog/2026/05/07/prompts-become-shells-rce-vulnerabilities-ai-agent-frameworks/
- microsoft.comprimaryinlineMicrosoft Security Bloghttps://www.microsoft.com/en-us/security/blog/2026/05/08/active-attack-dirty-frag-linux-vulnerability-expands-post-compromise-risk/
- microsoft.comprimaryinlineMicrosoft Security Blog, 2026-05-12https://www.microsoft.com/en-us/security/blog/2026/05/12/defense-at-ai-speed-microsofts-new-multi-model-agentic-security-system-finds-16-new-vulnerabilities/
- microsoft.comprimaryinlineMicrosoft IR, 2026-05-12https://www.microsoft.com/en-us/security/blog/2026/05/12/undermining-the-trust-boundary-investigating-a-stealthy-intrusion-through-third-party-compromise/
- microsoft.comprimaryinlineMicrosoft Threat Intelligence, 2026-05-14https://www.microsoft.com/en-us/security/blog/2026/05/14/kazuar-anatomy-of-a-nation-state-botnet/
- access.redhat.cominlineRed Hat, updated 2026-05-09https://access.redhat.com/security/vulnerabilities/RHSB-2026-003
- advisories.ncsc.nlinlineNCSC-NL NCSC-2026-0158, 2026-05-15https://advisories.ncsc.nl/advisory?id=NCSC-2026-0158
- advisories.ncsc.nlinlineNCSC-NL NCSC-2026-0159, 2026-05-15https://advisories.ncsc.nl/advisory?id=NCSC-2026-0159
- akamai.cominlineAkamai Security Researchhttps://www.akamai.com/blog/security-research/incomplete-patch-apt28s-zero-day-cve-2026-32202
- amd.cominlineAMD Product Security, 2026-05-12https://www.amd.com/en/resources/product-security/bulletin/amd-sb-7052.html
- attack.mitre.orginlineT1027https://attack.mitre.org/techniques/T1027/
- attack.mitre.orginlineT1056.001https://attack.mitre.org/techniques/T1056/001/
- attack.mitre.orginlineT1068https://attack.mitre.org/techniques/T1068/
- attack.mitre.orginlineT1071.001https://attack.mitre.org/techniques/T1071/001/
- attack.mitre.orginlineT1090.001https://attack.mitre.org/techniques/T1090/001/
- attack.mitre.orginlineT1095https://attack.mitre.org/techniques/T1095/
- attack.mitre.orginlineT1114.002https://attack.mitre.org/techniques/T1114/002/
- attack.mitre.orginlineT1528https://attack.mitre.org/techniques/T1528/
- attack.mitre.orginlineT1556https://attack.mitre.org/techniques/T1556/
- attack.mitre.orginlineT1557https://attack.mitre.org/techniques/T1557/
- attack.mitre.orginlineT1562.001https://attack.mitre.org/techniques/T1562/001/
- attack.mitre.orginlineT1566.004https://attack.mitre.org/techniques/T1566/004/
- bitdefender.cominlineBitdefender Labs, 2026-05-13https://www.bitdefender.com/en-us/blog/businessinsights/famoussparrow-apt-targets-azerbaijani-oil-gas-industry
- bleepingcomputer.cominlineBleepingComputer — MuddyWater hackers use Chaos ransomware as a decoyhttps://www.bleepingcomputer.com/news/security/muddywater-hackers-use-chaos-ransomware-as-a-decoy-in-attacks/
- bleepingcomputer.cominlineBleepingComputer 2026-05-05https://www.bleepingcomputer.com/news/security/new-stealthy-quasar-linux-malware-targets-software-developers/
- bleepingcomputer.cominlineBleepingComputer, 2026-05-13https://www.bleepingcomputer.com/news/security/windows-bitlocker-zero-day-gives-access-to-protected-drives-poc-released/
- blog.talosintelligence.cominlineCisco Talos, 2026-05-05https://blog.talosintelligence.com/cloudz-pheno-infostealer/
- blog.talosintelligence.cominlineCisco Talos 2026-05-05https://blog.talosintelligence.com/uat-8302/
- ccb.belgium.beinlineCCB Belgium, 2026-05-08https://ccb.belgium.be/advisories/warning-dirty-frag-new-linux-local-privilege-escalation-vulnerability-was-disclosed
- cert.europa.euinlineCERT-EU 2026-005https://cert.europa.eu/publications/security-advisories/2026-005/
- cert.ssi.gouv.frinlineCERT-FR — CERTFR-2026-ACT-016, 2026-05-08https://www.cert.ssi.gouv.fr/actualite/CERTFR-2026-ACT-016/
- cisa.govinlineCISA Alert AA21-321A, 2021-11-17https://www.cisa.gov/news-events/cybersecurity-advisories/aa21-321a
- cisa.govinlineCISA KEV entry CVE-2026-31431https://www.cisa.gov/known-exploited-vulnerabilities-catalog
- cloud.google.cominlineGoogle Threat Intelligence Group, 2026-05-15https://cloud.google.com/blog/topics/threat-intelligence/blackfile-vishing-extortion-operation/
- cyera.cominlineCyera Research, 2026-05-15https://www.cyera.com/blog/claw-chain-cyera-research-unveil-four-chainable-vulnerabilities-in-openclaw
- elastic.coinlineElastic Security Labs 2026-05-07https://www.elastic.co/security-labs/tclbanker-brazilian-banking-trojan
- github.cominlineResearcher write-up (V4bel), 2026-05-07https://github.com/V4bel/dirtyfrag/blob/master/assets/write-up.md
- github.cominlineHealthChecker.ps1https://github.com/microsoft/CSS-Exchange
- github.cominlineGitHub GHSA-2ww3-72rp-wpp4https://github.com/microsoft/semantic-kernel/security/advisories/GHSA-2ww3-72rp-wpp4
- github.cominlineGitHub GHSA-xjw9-4gw8-4rqxhttps://github.com/microsoft/semantic-kernel/security/advisories/GHSA-xjw9-4gw8-4rqx
- github.cominlineGitHub Security Advisory GHSA-c9ph-gxww-7744, 2026-04-29https://github.com/thymeleaf/thymeleaf/security/advisories/GHSA-c9ph-gxww-7744
- helpnetsecurity.cominlineHelp Net Security, 2026-04-29https://www.helpnetsecurity.com/2026/04/29/windows-cve-2026-32202-exploited/
- helpnetsecurity.cominlineHelp Net Security, 2026-05-08https://www.helpnetsecurity.com/2026/05/08/dirty-frag-linux-vulnerability-cve-2026-43284-cve-2026-43500/
- helpnetsecurity.cominlineHelp Net Security, 2026-05-12https://www.helpnetsecurity.com/2026/05/12/microsoft-may-2026-patch-tuesday/
- isc.sans.eduinlineSANS ISC Diary, 2026-05-04https://isc.sans.edu/diary/Cleartext+Passwords+in+MS+Edge+In+2026/32954/
- krebsonsecurity.cominlineKrebs on Security, 2026-05-12https://krebsonsecurity.com/2026/05/patch-tuesday-may-2026-edition/
- malwarebytes.cominlineMalwarebytes — Shub Stealer earlier wave, 2026-03https://www.malwarebytes.com/blog/threat-intel/2026/03/fake-cleanmymac-site-installs-shub-stealer-and-backdoors-crypto-wallets
- msrc.microsoft.cominlineMicrosoft MSRC, 2026-05-14https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2026-42897
- msrc.microsoft.cominlineMicrosoft MSRChttps://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-32202
- nvd.nist.govinlineNVD — CVE-2026-32202https://nvd.nist.gov/vuln/detail/CVE-2026-32202
- oasis.securityinlineOasis Security 2026-05-07https://www.oasis.security/blog/cline-kanban-websocket-hijack
- rapid7.cominlineRapid7 — Muddying the Tracks: The State-Sponsored Shadow Behind Chaos Ransomwarehttps://www.rapid7.com/blog/post/tr-muddying-tracks-state-sponsored-shadow-behind-chaos-ransomware/
- securelist.cominlineSecurelist (Kaspersky), 2026-05-12https://securelist.com/state-of-ransomware-in-2026/119761/
- securelist.cominlineKaspersky Securelist — Exploits and Vulnerabilities Q1 2026https://securelist.com/vulnerabilities-and-exploits-in-q1-2026/119733/
- security-hub.ncsc.admin.chinlineNCSC-CH Security Hub #12574, 2026-05-14https://security-hub.ncsc.admin.ch/#/posts/12574
- security-hub.ncsc.admin.chinlineNCSC-CH Security Hub #12577, 2026-05-15https://security-hub.ncsc.admin.ch/#/posts/12577
- security-hub.ncsc.admin.chinlineNCSC-CH Security Hub post 12547, 2026-05-08https://security-hub.ncsc.admin.ch/api/posts/12547/details
- securityweek.cominlineSecurityWeek — Iranian APT intrusion masquerades as Chaos ransomware attackhttps://www.securityweek.com/iranian-apt-intrusion-masquerades-as-chaos-ransomware-attack/
- techcommunity.microsoft.cominlineMicrosoft, 2021-09-28https://techcommunity.microsoft.com/blog/exchange/new-security-feature-in-september-2021-cumulative-update-for-exchange-server/2783477
- techcommunity.microsoft.cominlineMicrosoft Exchange Team, 2026-05-14https://techcommunity.microsoft.com/blog/exchange/addressing-exchange-server-may-2026-vulnerability-cve-2026-42897/4518498
- techzine.euinlineTechzine, 2026-02-16https://www.techzine.eu/news/security/138806/data-breach-at-odido-responsibility-and-compensation-under-discussion/
- tenable.cominlineTenable, 2026-05-12https://www.tenable.com/blog/microsofts-may-2026-patch-tuesday-addresses-118-cves-cve-2026-41103
- thehackernews.cominlineThe Hacker News, 2026-05-15https://thehackernews.com/2026/05/four-openclaw-flaws-enable-data-theft.html
- thehackernews.cominlineThe Hacker News, 2026-05-15https://thehackernews.com/2026/05/on-prem-microsoft-exchange-server-cve.html
- thehackernews.cominlineThe Hacker News 2026-05-04https://thehackernews.com/2026/05/progress-patches-critical-moveit.html
- thehackernews.cominlineThe Hacker News, 2026-05-15https://thehackernews.com/2026/05/turla-turns-kazuar-backdoor-into.html
- theregister.cominlineThe Register, 2026-02-27https://www.theregister.com/2026/02/27/odido_shinyhunters_leaks/
- theregister.cominlineThe Register, 2026-05-13https://www.theregister.com/patches/2026/05/13/doozy-of-a-patch-tuesday-includes-30-critical-microsoft-cves/5239224
- theregister.cominlineThe Register, 2026-05-13https://www.theregister.com/security/2026/05/13/disgruntled-researcher-releases-two-more-microsoft-zero-days/5239758
- thezdi.cominlineZDI, 2026-05-12https://www.thezdi.com/blog/2026/5/12/the-may-2026-security-update-review
- unit42.paloaltonetworks.cominlineUnit 42 — Copy Failhttps://unit42.paloaltonetworks.com/cve-2026-31431-copy-fail/
- wid.cert-bund.deinlineBSI WID-SEC-2026-1536, 2026-05-14https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2026-1536
- wiz.ioinlineWiz Researchhttps://www.wiz.io/blog/dirty-frag-linux-kernel-local-privilege-escalation-via-esp-and-rxrpc
- xenbits.xen.orginlineXSA-490https://xenbits.xen.org/xsa/advisory-490.html
Items in briefs about Microsoft Exchange Server SSRF (ProxyLogon) — cited in 2026-05-16 § 5 deep dive Background as precedent for on-prem Exchange exploitation pattern
No parsed item heading or body matches this entity yet. Items match by exact CVE id (for CVE entities), by lead-segment substring of the title in the item heading or body, or by a distinctive anchor token from the title appearing in the item heading. Coverage that lives inside a broader section (no per-item heading) is captured by the Story timeline above.