ProxyOracle Reflected XSS in Microsoft Exchange Server
CVE-2021-31195 is a reflected cross-site scripting (XSS) vulnerability in Microsoft Exchange Server, discovered by Orange Tsai and the DEVCORE team as part of the ProxyOracle attack chain. This vulnerability allows an attacker to inject malicious scripts into responses from the Exchange Client Access Service (CAS), which can be leveraged in combination with CVE-2021-31196 (padding oracle) to recover plaintext Exchange user passwords. The vulnerability is part of a broader set of architectural weaknesses in Exchange's CAS frontend, which have enabled multiple high-impact attack chains.
Are you exposed to this one?
Mallory correlates every CVE against your assets, your vendors, and active adversary campaigns. Know which vulnerabilities matter for you, not just which ones are loud.
Impact, mitigation & remediation
What it means. What to do now. Patch path, mitigations, and the assume-compromise checklist.
Impact
What an attacker gets, and what they’ve been doing with it.
Mitigation
If you can’t patch tonight, do this now.
Remediation
Patch, then assume compromise.
Exploits
1 valid exploit after Mallory filtered fakes, detection scripts, and README-only repos.
This repository contains operational exploit scripts for multiple high-profile Microsoft Exchange Server vulnerabilities: ProxyLogon (CVE-2021-26855, etc.), ProxyOracle (CVE-2021-31196), and ProxyShell (CVE-2021-34473, CVE-2021-31207). The structure includes four main Python scripts: - 26855.py: Implements the ProxyLogon exploit chain, culminating in the upload of a JScript webshell (api.aspx) to the Exchange server by abusing the OAB virtual directory. It automates the process of obtaining necessary tokens and SIDs, and provides a final webshell URL for remote code execution. - 31196.py: Implements the ProxyOracle padding oracle attack, allowing extraction of plaintext credentials from encrypted session cookies by exploiting a padding oracle vulnerability in OWA. It requires a valid 'cadata' cookie and outputs the decrypted username and password. - 34473.py: Implements the ProxyShell exploit chain, allowing remote PowerShell command execution on the Exchange server. It automates the process of obtaining a valid CommonAccessToken and then uses pypsrp to execute arbitrary PowerShell scripts remotely. - 31207.py: Works with 34473.py to deliver arbitrary files (e.g., malicious PDFs) to user mailboxes and then exports mailbox contents to a specified UNC path, leveraging Exchange's mailbox export features. A users.txt file provides a list of default or known usernames to assist in the exploitation process. The README.md gives usage instructions and references for each exploit. The scripts are operational and automate the full exploitation process, including credential extraction, webshell upload, remote command execution, and file delivery. The main attack vector is network-based, targeting exposed Exchange web services (ECP, OWA, Autodiscover, EWS, and PowerShell endpoints).
Affected products & vendors
Products and vendors Mallory has correlated with this vulnerability. Open in Mallory to drill down to specific CPE configurations and version ranges.
Vendor-confirmed product mapping. Mallory continuously reconciles this list against your asset inventory.
Recent activity
1 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
The version that knows your environment.
Query your assets running an affected version, and investigate the blast radius.
Every observed campaign linking this CVE to a named adversary.
Malware families riding this exploit, with evidence and IOCs.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Cross-references every affected SKU, including bundled OEM variants.
Community discussion across Reddit, Mastodon, and other social sources.