CVE-2021-26897
published 2021-03-11CVE-2021-26897: Windows DNS Server Remote Code Execution Vulnerability
PriorityP186critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
ITWVulnCheck KEV
Exploited in the wild
EPSS
13.91%
96.1th percentile
Windows DNS Server Remote Code Execution Vulnerability
Affected
25 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| microsoft | windows_server_2008 | — | — |
| microsoft | windows_server_2008 | — | — |
| microsoft | windows_server_2008_r2_service_pack_1 | >= 6.0.0 < publication | publication |
| microsoft | windows_server_2008_r2_service_pack_1 | >= 6.1.0 < publication | publication |
| microsoft | windows_server_2008_service_pack_2 | >= 6.0.0 < publication | publication |
| microsoft | windows_server_2012 | — | — |
| microsoft | windows_server_2012 | >= 6.2.0 < publication | publication |
| microsoft | windows_server_2012_r2 | >= 6.3.0 < publication | publication |
| microsoft | windows_server_2016 | — | — |
| microsoft | windows_server_2016 | — | — |
| microsoft | windows_server_2016 | — | — |
| microsoft | windows_server_2016 | >= 10.0.0 < publication | publication |
| microsoft | windows_server_2019 | >= 10.0.0 < publication | publication |
| microsoft | windows_server_version_2004 | >= 10.0.0 < publication | publication |
| microsoft | windows_server_version_20h2 | >= 10.0.0 < publication | publication |
| msrc | windows_server_2008_for_32-bit_systems_service_pack_2 | — | — |
| msrc | windows_server_2008_for_x64-based_systems_service_pack_2 | — | — |
| msrc | windows_server_2008_r2_for_x64-based_systems_service_pack_1 | — | — |
| msrc | windows_server_2012 | — | — |
| msrc | windows_server_2012_r2 | — | — |
| msrc | windows_server_2016 | — | — |
| msrc | windows_server_2019 | — | — |
| msrc | windows_server_version_1909 | — | — |
| msrc | windows_server_version_2004 | — | — |
| msrc | windows_server_version_20h2 | — | — |
Detection & IOCsextracted from sources · hover to see the quote
port53/tcp
snort
alert tcp any any -> $DNS_SERVERS 53 (msg:"ET EXPLOIT Windows DNS Server RCE Attempt Inbound (CVE-2021-26897)"; dsize:>1300; content:"|29 00|"; offset:2; depth:2; threshold:type limit, count 45, seconds 90, track by_src; reference:cve,2021-26897; classtype:attempted-admin; sid:2032348; rev:1; metadata:attack_target DNS_Server, created_at 2021_03_30, cve CVE_2021_26897, deployment Perimeter, deployment Internal, confidence Medium, signature_severity Major, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2021_03_30;)
bytes
|29 00| at offset 2, depth 2, in TCP packets to port 53 with dsize >1300
- →Trigger on TCP packets to DNS servers (port 53) with packet size greater than 1300 bytes containing the byte sequence 0x29 0x00 at offset 2 — characteristic of CVE-2021-26897 exploit attempts. Rate-limit alerting to 45 events per 90 seconds per source IP to reduce noise.
- →The vulnerability is only exploitable on servers with dynamic DNS updates enabled. Prioritize monitoring/patching DNS servers where dynamic updates are active. ↗
- ·Secure Zone Updates is only a partial mitigation and does not fully prevent exploitation of CVE-2021-26897. ↗
- ·Servers not configured as DNS servers are not vulnerable. ↗
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.010.0CRITICALAV:N/AC:L/Au:N/C:C/I:C/A:C
vulncheck9.8CRITICAL
vendor_msrc9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-8546-vjcf-9r45: Windows DNS Server Remote Code Execution Vulnerability This CVE ID is unique from CVE-2021-26877, CVE-2021-26894, CVE-2021-26895, CVE-2021-26897
ghsa_unreviewed·2022-05-24·CVSS 9.8
CVE-2021-26893 [CRITICAL] GHSA-8546-vjcf-9r45: Windows DNS Server Remote Code Execution Vulnerability This CVE ID is unique from CVE-2021-26877, CVE-2021-26894, CVE-2021-26895, CVE-2021-26897
Windows DNS Server Remote Code Execution Vulnerability This CVE ID is unique from CVE-2021-26877, CVE-2021-26894, CVE-2021-26895, CVE-2021-26897.
GHSA
GHSA-86v8-8qp7-vj9r: Windows DNS Server Remote Code Execution Vulnerability This CVE ID is unique from CVE-2021-26893, CVE-2021-26894, CVE-2021-26895, CVE-2021-26897
ghsa_unreviewed·2022-05-24·CVSS 9.8
CVE-2021-26877 [CRITICAL] CWE-94 GHSA-86v8-8qp7-vj9r: Windows DNS Server Remote Code Execution Vulnerability This CVE ID is unique from CVE-2021-26893, CVE-2021-26894, CVE-2021-26895, CVE-2021-26897
Windows DNS Server Remote Code Execution Vulnerability This CVE ID is unique from CVE-2021-26893, CVE-2021-26894, CVE-2021-26895, CVE-2021-26897.
GHSA
GHSA-wjv8-g83f-g23g: Windows DNS Server Remote Code Execution Vulnerability This CVE ID is unique from CVE-2021-26877, CVE-2021-26893, CVE-2021-26894, CVE-2021-26897
ghsa_unreviewed·2022-05-24·CVSS 9.8
CVE-2021-26895 [CRITICAL] GHSA-wjv8-g83f-g23g: Windows DNS Server Remote Code Execution Vulnerability This CVE ID is unique from CVE-2021-26877, CVE-2021-26893, CVE-2021-26894, CVE-2021-26897
Windows DNS Server Remote Code Execution Vulnerability This CVE ID is unique from CVE-2021-26877, CVE-2021-26893, CVE-2021-26894, CVE-2021-26897.
GHSA
GHSA-5hxq-rvgg-jqff: Windows DNS Server Remote Code Execution Vulnerability This CVE ID is unique from CVE-2021-26877, CVE-2021-26893, CVE-2021-26894, CVE-2021-26895
ghsa_unreviewed·2022-05-24·CVSS 9.8
CVE-2021-26897 [CRITICAL] GHSA-5hxq-rvgg-jqff: Windows DNS Server Remote Code Execution Vulnerability This CVE ID is unique from CVE-2021-26877, CVE-2021-26893, CVE-2021-26894, CVE-2021-26895
Windows DNS Server Remote Code Execution Vulnerability This CVE ID is unique from CVE-2021-26877, CVE-2021-26893, CVE-2021-26894, CVE-2021-26895.
GHSA
GHSA-96hx-qvj2-8fpm: Windows DNS Server Remote Code Execution Vulnerability This CVE ID is unique from CVE-2021-26877, CVE-2021-26893, CVE-2021-26895, CVE-2021-26897
ghsa_unreviewed·2022-05-24·CVSS 9.8
CVE-2021-26894 [CRITICAL] GHSA-96hx-qvj2-8fpm: Windows DNS Server Remote Code Execution Vulnerability This CVE ID is unique from CVE-2021-26877, CVE-2021-26893, CVE-2021-26895, CVE-2021-26897
Windows DNS Server Remote Code Execution Vulnerability This CVE ID is unique from CVE-2021-26877, CVE-2021-26893, CVE-2021-26895, CVE-2021-26897.
VulnCheck
Windows DNS Server Remote Code Execution Vulnerability
vulncheck·2021·CVSS 9.8
CVE-2021-26897 [CRITICAL] Windows DNS Server Remote Code Execution Vulnerability
Windows DNS Server Remote Code Execution Vulnerability
Windows DNS Server Remote Code Execution Vulnerability
Affected: Microsoft Windows
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are unavailable.
Exploitation References: https://go.catonetworks.com/rs/245-RJK-441/images/CATO-NETWORKS-THREAT-REPORT2024.pdf; https://go.catonetworks.com/rs/245-RJK-441/images/Q2_24_Cato_CTRL_Threat_Report.pdf; https://go.catonetworks.com/rs/245-RJK-441/images/CATO_CTRL_Report_Q3_2024.pdf; https://www.trustwave.com/hubfs/Web/Library/Documents_pdf/2025_Trustwave_Hospitality_Risk_Radar.pdf
Microsoft
Windows DNS Server Remote Code Execution Vulnerability
vendor_msrc·2021-03-09·CVSS 9.8
CVE-2021-26897 [CRITICAL] Windows DNS Server Remote Code Execution Vulnerability
Windows DNS Server Remote Code Execution Vulnerability
FAQ: Can this vulnerability by mitigated by enabling Secure Zone Updates?
Enabling Secure Zone Updates constrains the potential sources of the attack, but does not completely prevent it. For example, a malicious insider could attack a “secure zone update” DNS server from a domain-joined computer. This is only a partial mitigation.
Does this vulnerability impact just standalone DNS Primary Authoritative Server and not a DNS Server integrated with Active Directory?
This vulnerability impacts any DNS server. The surrounding configuration can limit possible vectors/sources for the attack, but proper mitigation requires this month’s security update patch.
FAQ: If my server is not configured to be a DNS server, it is vulnerable?
No, this v
Suricata
ET EXPLOIT Windows DNS Server RCE Attempt Inbound (CVE-2021-26897)
suricata·2021-03-30·CVSS 9.8
CVE-2021-26897 [CRITICAL] ET EXPLOIT Windows DNS Server RCE Attempt Inbound (CVE-2021-26897)
ET EXPLOIT Windows DNS Server RCE Attempt Inbound (CVE-2021-26897)
Rule: alert tcp any any -> $DNS_SERVERS 53 (msg:"ET EXPLOIT Windows DNS Server RCE Attempt Inbound (CVE-2021-26897)"; dsize:>1300; content:"|29 00|"; offset:2; depth:2; threshold:type limit, count 45, seconds 90, track by_src; reference:cve,2021-26897; classtype:attempted-admin; sid:2032348; rev:1; metadata:attack_target DNS_Server, created_at 2021_03_30, cve CVE_2021_26897, deployment Perimeter, deployment Internal, confidence Medium, signature_severity Major, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2021_03_30;)
No public exploits indexed.
Trendmicro
March Patch Tuesday: Fixes for Exchange Server, IE
blogs_trendmicro·2021-03-10·CVSS 9.1
[CRITICAL] March Patch Tuesday: Fixes for Exchange Server, IE
# March Patch Tuesday: Fixes for Exchange Server, IE
This month’s Patch Tuesday includes fixes already released for the Microsoft Exchange Server zero-day flaws attributed to Hafnium attacks.
By: Trend Micro
2021/03/10
Read time: ( words)
Save to Folio
This month’s Patch Tuesday features close to a hundred fixes, almost doubling last month’s total. The list includes patches already released for the Microsoft Exchange Server zero-day flaws attributed to Hafnium attacks.
Out of 89 patches released, 14 were rated Critical while the rest were deemed Important. Most of the critical vulnerabilities involve remote code execution (RCE) link except for an information disclosure bug. Fifteen of these were reported by the Zero Day Initiative (ZDI).
Microsoft Exchange Server Vulnerabilities
Th
Qualys
March 2021 Patch Tuesday – 82 Vulnerabilities, 10 Critical, Adobe | Qualys
blogs_qualys·2021-03-09·CVSS 7.8
CVE-2021-26411 [HIGH] March 2021 Patch Tuesday – 82 Vulnerabilities, 10 Critical, Adobe | Qualys
This month’s Microsoft Patch Tuesday addresses 82 vulnerabilities, of which 10 are rated with Critical severity. This follows an out-of-band security update on March 2 to address critical vulnerabilities in Microsoft Exchange. Adobe released patches today for its FrameMaker, Creative Cloud Desktop, and Adobe Connect products.
### Internet Explorer Memory Corruption Vulnerability
Microsoft released patches addressing another 0-day vulnerability (CVE-2021-26411). This is a memory corruption vulnerability in Internet Explorer. This CVE already has a working exploit and is assigned a CVSSv3 base score of 8.8 by the vendor.
### Windows Hyper-V Remote Code Execution (RCE) Vulnerability
Microsoft released patches to fix a RCE vulnerability in Windows Hyper-V (CVE-2021-26867). This vulnerabili
Tenable
Microsoft’s March 2021 Patch Tuesday Addresses 82 CVEs (CVE-2021-26411)
blogs_tenable·2021-03-09·CVSS 8.8
[HIGH] Microsoft’s March 2021 Patch Tuesday Addresses 82 CVEs (CVE-2021-26411)
## Cloud Exposure
Tenable Cloud Security (CNAPP) Request a demo
Tenable Cloud Vulnerability Management Request a demo
Tenable CIEM Request a demo
Secure your cloud
## Vulnerability Exposure
Tenable Vulnerability Management Try for free
Tenable Security Center Request a demo
Tenable Web App Scanning Try for free
Tenable Patch Management Request a demo
Tenable Enclave Security Request a demo
Tenable Attack Surface Management Request a demo
Tenable Nessus Try for free
## AI Exposure
Tenable AI Exposure Request a demo
## OT/IoT Exposure
Tenable OT Security Request a demo
## Identity Exposure
Tenable Identity Exposure Request a demo
## Business needs
Active Directory
AI Security Posture Management (AI-SPM)
AWS security
Azure security
Cloud Security Posture Man
Talos
Microsoft Patch Tuesday for March 2021 — Snort rules and prominent vulnerabilities
blogs_talos·2021-03-09·CVSS 8.8
[HIGH] Microsoft Patch Tuesday for March 2021 — Snort rules and prominent vulnerabilities
By Jon Munshaw, with contributions from Nick Biasini.
Microsoft released its monthly security update Tuesday, disclosing 89 vulnerabilities across its suite of products, the most in any month so far this year.
There are 14 critical vulnerabilities as part of this release and one considered of “low” severity. The remainder are all “important.” Three of the critical vulnerabilities are the ones Microsoft disclosed last week in Exchange Server that the company said state-sponsored actors exploited in the wild to steal emails. Microsoft also announced Monday they were releasing patches for older versions of Exchange Server.
All organizations using the affected software should prevent external access to port 443 on Exchange Servers, or set up a VPN to provide external access to port 443. Thi
Qualys
March 2021 Patch Tuesday – 82 Vulnerabilities, 10 Critical, Adobe
blogs_qualys·2021-03-09·CVSS 7.8
CVE-2021-26411 [HIGH] March 2021 Patch Tuesday – 82 Vulnerabilities, 10 Critical, Adobe
This month’s Microsoft Patch Tuesday addresses 82 vulnerabilities, of which 10 are rated with Critical severity. This follows an out-of-band security update on March 2 to address critical vulnerabilities in Microsoft Exchange. Adobe released patches today for its FrameMaker, Creative Cloud Desktop, and Adobe Connect products.
## Internet Explorer Memory Corruption Vulnerability
Microsoft released patches addressing another 0-day vulnerability (CVE-2021-26411). This is a memory corruption vulnerability in Internet Explorer. This CVE already has a working exploit and is assigned a CVSSv3 base score of 8.8 by the vendor.
## Windows Hyper-V Remote Code Execution (RCE) Vulnerability
Microsoft released patches to fix a RCE vulnerability in Windows Hyper-V (CVE-2021-26867). This vulnerability
Talos
Microsoft Patch Tuesday for March 2021 — Snort rules and prominent vulnerabilities
blogs_talos·2021-03-09·CVSS 8.8
[HIGH] Microsoft Patch Tuesday for March 2021 — Snort rules and prominent vulnerabilities
## Microsoft Patch Tuesday for March 2021 — Snort rules and prominent vulnerabilities
By Jon Munshaw, with contributions from Nick Biasini.
Microsoft released its monthly security update Tuesday, disclosing 89 vulnerabilities across its suite of products, the most in any month so far this year.
There are 14 critical vulnerabilities as part of this release and one considered of “low” severity. The remainder are all “important.” Three of the critical vulnerabilities are the ones Microsoft disclosed last week in Exchange Server that the company said state-sponsored actors exploited in the wild to steal emails . Microsoft also announced Monday they were releasing patches for older versions of Exchange Server .
All organizations using the affected software should prevent external access to
Zscaler
Zscaler protects against 7 new vulnerabilities for MS-Window
blogs_zscaler·CVSS 7.0
[HIGH] Zscaler protects against 7 new vulnerabilities for MS-Window
Provide users with seamless, secure, reliable access to applications and data.
Build and run secure cloud apps, enable zero trust cloud connectivity, and protect workloads from data center to cloud.
Provide zero trust connectivity for IoT and OT devices and secure remote access to OT systems.
Provide zero trust site-to-site connectivity and reliable access to B2B apps for partners.
Industry Report
Zscaler: A Leader in the 2025 Gartner® Magic Quadrant™ for Security Service Edge (SSE)
USE CASES
INDUSTRY & MARKET SOLUTIONS
PARTNERS
TECHNOLOGY PARTNERS
Resource Center
Events & Trainings
Security Research & Services
Tools
Community & Support
CXO REVOLUTIONARIES
Amplifying the voices of real-world digital and zero trust pioneers
Discover how it began and where it’s going
Meet o
Crowdstrike
March 2021 Patch Tuesday: Updates and Analysis
blogs_crowdstrike·CVSS 7.5
CVE-2026-20929 [HIGH] March 2021 Patch Tuesday: Updates and Analysis
STARDUST CHOLLIMA Likely Compromises Axios npm Package Apr 01, 2026
Falcon for IT Supports Windows Secure Boot Certificate Lifecycle Management Apr 01, 2026
Detecting CVE-2026-20929: Kerberos Authentication Relay via CNAME Abuse Mar 31, 2026
How Charlotte AI AgentWorks Fuels Security's Agentic Ecosystem Mar 25, 2026
STARDUST CHOLLIMA Likely Compromises Axios npm Package Apr 01, 2026
Falcon for IT Supports Windows Secure Boot Certificate Lifecycle Management Apr 01, 2026
Detecting CVE-2026-20929: Kerberos Authentication Relay via CNAME Abuse Mar 31, 2026
How Charlotte AI AgentWorks Fuels Security's Agentic Ecosystem Mar 25, 2026
Video Highlights the 4 Key Steps to Successful Incident Response Dec 02, 2019
Helping Non-Security Stakeholders Understand ATT&CK in 10 Minutes or Less [VI
2021-03-11
Published
Exploited in the wild